4.5.5
4.5.4
CVE-2025-46348 is a critical vulnerability affecting YesWiki versions up to 4.5.3. It allows unauthenticated attackers to initiate and download site backups, leading to potential data exposure. This vulnerability arises from insufficient authentication checks during the backup creation and retrieval processes. A fix is available in version 4.5.4.
The primary impact of CVE-2025-46348 is the unauthorized exposure of sensitive data stored within YesWiki backups. Attackers can leverage this vulnerability to download complete site archives without authentication. These archives may contain user credentials, configuration files, database dumps, and other confidential information. The predictable naming convention of the backup files further simplifies exploitation, allowing attackers to target specific backups. This could lead to data breaches, identity theft, and compromise of the entire YesWiki instance.
This vulnerability was publicly disclosed on 2025-04-29. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. The lack of authentication required for backup operations significantly lowers the barrier to entry for attackers. No KEV listing is currently available.
Organizations and individuals using YesWiki, particularly those hosting their own instances or utilizing shared hosting environments, are at risk. Legacy YesWiki installations that have not been regularly updated are especially vulnerable. Those relying on YesWiki for sensitive data storage or internal documentation are at higher risk.
• php / server:
find /var/www/yeswiki/ -name 'backup.tar.gz' -print• php / server:
grep -r "action=s" /var/log/apache2/access.log• generic web:
curl -I http://your-yeswiki-domain.com/?api/archives• generic web:
Check access logs for requests to /?api/archives without authentication headers.
disclosure
漏洞利用状态
EPSS
0.44% (63% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-46348 is to immediately upgrade YesWiki to version 4.5.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the backup directory or modifying the YesWiki configuration to disable the backup feature entirely. Monitor YesWiki logs for suspicious activity, particularly requests related to archive creation and download. After upgrading, confirm the fix by attempting to create and download a backup without authentication; the request should be denied.
将 YesWiki 更新到 4.5.4 或更高版本。此版本修复了允许未经身份验证创建和下载站点备份的漏洞。更新将防止未经授权的攻击者访问敏感站点信息或通过备份请求填充文件系统。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-46348 is a critical vulnerability in YesWiki versions up to 4.5.3 that allows unauthenticated users to create and download site backups, potentially exposing sensitive data.
Yes, you are affected if you are using YesWiki version 4.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade YesWiki to version 4.5.4 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the backup directory.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority vulnerability.
Refer to the YesWiki project's official website and security advisories for the latest information and updates regarding CVE-2025-46348.