Platform
php
Component
yeswiki/yeswiki
Opgelost in
4.5.5
4.5.4
CVE-2025-46348 is a critical vulnerability affecting YesWiki versions up to 4.5.3. It allows unauthenticated attackers to initiate and download site backups, leading to potential data exposure. This vulnerability arises from insufficient authentication checks during the backup creation and retrieval processes. A fix is available in version 4.5.4.
The primary impact of CVE-2025-46348 is the unauthorized exposure of sensitive data stored within YesWiki backups. Attackers can leverage this vulnerability to download complete site archives without authentication. These archives may contain user credentials, configuration files, database dumps, and other confidential information. The predictable naming convention of the backup files further simplifies exploitation, allowing attackers to target specific backups. This could lead to data breaches, identity theft, and compromise of the entire YesWiki instance.
This vulnerability was publicly disclosed on 2025-04-29. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. The lack of authentication required for backup operations significantly lowers the barrier to entry for attackers. No KEV listing is currently available.
Organizations and individuals using YesWiki, particularly those hosting their own instances or utilizing shared hosting environments, are at risk. Legacy YesWiki installations that have not been regularly updated are especially vulnerable. Those relying on YesWiki for sensitive data storage or internal documentation are at higher risk.
• php / server:
find /var/www/yeswiki/ -name 'backup.tar.gz' -print• php / server:
grep -r "action=s" /var/log/apache2/access.log• generic web:
curl -I http://your-yeswiki-domain.com/?api/archives• generic web:
Check access logs for requests to /?api/archives without authentication headers.
disclosure
Exploit Status
EPSS
0.44% (63% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-46348 is to immediately upgrade YesWiki to version 4.5.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the backup directory or modifying the YesWiki configuration to disable the backup feature entirely. Monitor YesWiki logs for suspicious activity, particularly requests related to archive creation and download. After upgrading, confirm the fix by attempting to create and download a backup without authentication; the request should be denied.
Werk YesWiki bij naar versie 4.5.4 of hoger. Deze versie corrigeert de kwetsbaarheid die ongeauthenticeerde creatie en download van site backups mogelijk maakt. De update voorkomt dat niet-geauthenticeerde aanvallers toegang krijgen tot gevoelige site-informatie of het bestandssysteem vullen met backup verzoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-46348 is a critical vulnerability in YesWiki versions up to 4.5.3 that allows unauthenticated users to create and download site backups, potentially exposing sensitive data.
Yes, you are affected if you are using YesWiki version 4.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade YesWiki to version 4.5.4 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the backup directory.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority vulnerability.
Refer to the YesWiki project's official website and security advisories for the latest information and updates regarding CVE-2025-46348.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.