प्लेटफ़ॉर्म
php
घटक
yeswiki/yeswiki
में ठीक किया गया
4.5.5
4.5.4
CVE-2025-46348 is a critical vulnerability affecting YesWiki versions up to 4.5.3. It allows unauthenticated attackers to initiate and download site backups, leading to potential data exposure. This vulnerability arises from insufficient authentication checks during the backup creation and retrieval processes. A fix is available in version 4.5.4.
The primary impact of CVE-2025-46348 is the unauthorized exposure of sensitive data stored within YesWiki backups. Attackers can leverage this vulnerability to download complete site archives without authentication. These archives may contain user credentials, configuration files, database dumps, and other confidential information. The predictable naming convention of the backup files further simplifies exploitation, allowing attackers to target specific backups. This could lead to data breaches, identity theft, and compromise of the entire YesWiki instance.
This vulnerability was publicly disclosed on 2025-04-29. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. The lack of authentication required for backup operations significantly lowers the barrier to entry for attackers. No KEV listing is currently available.
Organizations and individuals using YesWiki, particularly those hosting their own instances or utilizing shared hosting environments, are at risk. Legacy YesWiki installations that have not been regularly updated are especially vulnerable. Those relying on YesWiki for sensitive data storage or internal documentation are at higher risk.
• php / server:
find /var/www/yeswiki/ -name 'backup.tar.gz' -print• php / server:
grep -r "action=s" /var/log/apache2/access.log• generic web:
curl -I http://your-yeswiki-domain.com/?api/archives• generic web:
Check access logs for requests to /?api/archives without authentication headers.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.44% (63% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-46348 is to immediately upgrade YesWiki to version 4.5.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the backup directory or modifying the YesWiki configuration to disable the backup feature entirely. Monitor YesWiki logs for suspicious activity, particularly requests related to archive creation and download. After upgrading, confirm the fix by attempting to create and download a backup without authentication; the request should be denied.
यसवीकी को संस्करण 4.5.4 या उच्चतर में अपडेट करें। यह संस्करण प्रमाणीकरण के बिना साइट बैकअप बनाने और डाउनलोड करने की अनुमति देने वाले भेद्यता को ठीक करता है। अपडेट हमलावरों को साइट की संवेदनशील जानकारी तक पहुंचने या बैकअप अनुरोधों के साथ फ़ाइल सिस्टम को भरने से रोकेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-46348 is a critical vulnerability in YesWiki versions up to 4.5.3 that allows unauthenticated users to create and download site backups, potentially exposing sensitive data.
Yes, you are affected if you are using YesWiki version 4.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade YesWiki to version 4.5.4 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the backup directory.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority vulnerability.
Refer to the YesWiki project's official website and security advisories for the latest information and updates regarding CVE-2025-46348.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।