GHSA-35F3-PG38-486F
Vulnerability from github – Published: 2026-07-09 21:00 – Updated: 2026-07-09 21:00Summary
YesWiki's archived-revision view reflects the time GET parameter into a hidden HTML input in handlers/page/show.php without escaping. Because MySQL coerces malformed DATETIME strings, an attacker can append HTML or JavaScript to a valid archived revision timestamp, still load that archived revision, and execute arbitrary JavaScript in the victim's browser.
The vulnerable form is only rendered when the victim can both read and edit the target page. In restricted deployments this requires a victim with read and write access to that page. On a default doryphore 4.6.5 install, public pages such as PagePrincipale were editable anonymously during validation, so the issue can also affect unauthenticated visitors in that configuration.
Details
The request routing path uses the user-controlled time parameter to load a specific page revision. In includes/YesWiki.php around Run() line 1223, the request is routed through:
$this->SetPage($this->LoadPage($tag, isset($_REQUEST['time']) ? $_REQUEST['time'] : ''));
LoadPage() delegates to PageManager::getOne() in includes/services/PageManager.php around line 75, which builds a SQL predicate directly from the supplied revision time:
$timeQuery = $time ? "time = '{$this->dbService->escape($time)}'" : "latest = 'Y'";
If the loaded page is an archived revision (latest == 'N') and the current user has write access, handlers/page/show.php around lines 43-49 renders an edit form for that archived revision and copies $_GET['time'] into a hidden input without htmlspecialchars():
$time = isset($_GET['time']) ? $_GET['time'] : '';
echo $this->FormOpen(testUrlInIframe() ? 'editiframe' : 'edit', '', 'get');
<input type="hidden" name="time" value="<?php echo $time; ?>" />
That sink is reachable only when all of the following are true:
- The target page has at least one archived revision.
- The victim can
readthe target page. - The victim can
writethe target page, because the archived revision edit form is rendered only inside theif ($this->HasAccess('write'))branch.
In practice, the payload must begin with a real archived revision timestamp. A completely invalid time value does not reach the archived branch because YesWiki only updates the current page object when the revision lookup returns a non-empty row.
During local validation on the official doryphore 4.6.5 package, the exploit worked because MySQL accepted a malformed timestamp string as matching an existing archived revision row. For example, the following expression was coerced to the stored revision time:
CAST(CONCAT('2026-05-24 04:30:00', CHAR(34), CHAR(62), CHAR(60), 'script', CHAR(62), 'alert(1)', CHAR(60), '/script', CHAR(62)) AS DATETIME)
and the corresponding query predicate still matched the archived row:
WHERE time = '2026-05-24 04:30:00"><script>alert(1)</script>'
This means a payload can begin with a valid archived revision timestamp, still resolve to the archived revision, and then be reflected unescaped into the hidden HTML field.
For comparison, tools/bazar/handlers/page/show__.php around lines 13-14 escapes the same time value with htmlspecialchars(), which shows that the core handler's behavior is inconsistent and unsafe.
This issue maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
PoC
- Set up a vulnerable YesWiki instance. This was validated locally on the official
doryphore 4.6.5release. - Use a target page that has at least one archived revision. Any page with revision history is sufficient.
- Confirm the victim has the rights needed to reach the vulnerable sink:
- The victim must have
readaccess to the page. - The victim must have
writeaccess to the page. - On the default validation install, these rights were available anonymously on public pages such as
PagePrincipale, so no login was required in that configuration. - Identify the timestamp of an archived revision. In the validated setup, an archived
PagePrincipalerevision existed at2026-05-24 04:30:00. - Send the victim a crafted URL that starts with that valid archived revision timestamp and then appends an attribute-breaking payload:
http://127.0.0.1:8085/PagePrincipale?time=2026-05-24%2004:30:00%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cinput%20value=%22
- Open the URL in a browser as a victim who has the required
readandwriterights. - Observe that YesWiki still loads the archived revision view and displays the archived-revision warning block, proving the malformed
timevalue matched the stored archived revision. - Inspect the returned HTML. The response contains the injected payload inside the hidden form field:
<input type="hidden" name="time" value="2026-05-24 04:30:00"><script>alert(1)</script><input value="" />
- The browser executes the injected JavaScript in the YesWiki origin. A simple payload such as
alert(1)demonstrates code execution; a real payload could read browser-accessible data or perform actions in the victim's session.
Impact
This is a reflected XSS vulnerability in the archived-revision workflow.
The practical access model is:
- The attacker only needs to send a crafted link.
- The victim must have
readandwriteaccess to the target page. - The target page must have at least one archived revision.
- On deployments where anonymous visitors can edit public pages, the issue can be exploited against unauthenticated visitors as well.
An attacker may be able to:
- Execute arbitrary JavaScript in the victim's browser.
- Steal browser-accessible sensitive data.
- Perform actions as the victim inside YesWiki.
- Abuse the trusted YesWiki origin for phishing, UI redressing, or follow-on attacks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "yeswiki/yeswiki"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52773"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T21:00:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nYesWiki\u0027s archived-revision view reflects the `time` `GET` parameter into a hidden HTML input in `handlers/page/show.php` without escaping. Because MySQL coerces malformed `DATETIME` strings, an attacker can append HTML or JavaScript to a valid archived revision timestamp, still load that archived revision, and execute arbitrary JavaScript in the victim\u0027s browser.\n\nThe vulnerable form is only rendered when the victim can both read and edit the target page. In restricted deployments this requires a victim with `read` and `write` access to that page. On a default `doryphore 4.6.5` install, public pages such as `PagePrincipale` were editable anonymously during validation, so the issue can also affect unauthenticated visitors in that configuration.\n\n### Details\nThe request routing path uses the user-controlled `time` parameter to load a specific page revision. In `includes/YesWiki.php` around `Run()` line `1223`, the request is routed through:\n\n```php\n$this-\u003eSetPage($this-\u003eLoadPage($tag, isset($_REQUEST[\u0027time\u0027]) ? $_REQUEST[\u0027time\u0027] : \u0027\u0027));\n```\n\n`LoadPage()` delegates to `PageManager::getOne()` in `includes/services/PageManager.php` around line `75`, which builds a SQL predicate directly from the supplied revision time:\n\n```php\n$timeQuery = $time ? \"time = \u0027{$this-\u003edbService-\u003eescape($time)}\u0027\" : \"latest = \u0027Y\u0027\";\n```\n\nIf the loaded page is an archived revision (`latest == \u0027N\u0027`) and the current user has `write` access, `handlers/page/show.php` around lines `43-49` renders an edit form for that archived revision and copies `$_GET[\u0027time\u0027]` into a hidden input without `htmlspecialchars()`:\n\n```php\n$time = isset($_GET[\u0027time\u0027]) ? $_GET[\u0027time\u0027] : \u0027\u0027;\necho $this-\u003eFormOpen(testUrlInIframe() ? \u0027editiframe\u0027 : \u0027edit\u0027, \u0027\u0027, \u0027get\u0027);\n\u003cinput type=\"hidden\" name=\"time\" value=\"\u003c?php echo $time; ?\u003e\" /\u003e\n```\n\nThat sink is reachable only when all of the following are true:\n\n1. The target page has at least one archived revision.\n2. The victim can `read` the target page.\n3. The victim can `write` the target page, because the archived revision edit form is rendered only inside the `if ($this-\u003eHasAccess(\u0027write\u0027))` branch.\n\nIn practice, the payload must begin with a real archived revision timestamp. A completely invalid `time` value does not reach the archived branch because YesWiki only updates the current page object when the revision lookup returns a non-empty row.\n\nDuring local validation on the official `doryphore 4.6.5` package, the exploit worked because MySQL accepted a malformed timestamp string as matching an existing archived revision row. For example, the following expression was coerced to the stored revision time:\n\n```sql\nCAST(CONCAT(\u00272026-05-24 04:30:00\u0027, CHAR(34), CHAR(62), CHAR(60), \u0027script\u0027, CHAR(62), \u0027alert(1)\u0027, CHAR(60), \u0027/script\u0027, CHAR(62)) AS DATETIME)\n```\n\nand the corresponding query predicate still matched the archived row:\n\n```sql\nWHERE time = \u00272026-05-24 04:30:00\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027\n```\n\nThis means a payload can begin with a valid archived revision timestamp, still resolve to the archived revision, and then be reflected unescaped into the hidden HTML field.\n\nFor comparison, `tools/bazar/handlers/page/show__.php` around lines `13-14` escapes the same `time` value with `htmlspecialchars()`, which shows that the core handler\u0027s behavior is inconsistent and unsafe.\n\nThis issue maps to **CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)**.\n\n### PoC\n1. Set up a vulnerable YesWiki instance. This was validated locally on the official `doryphore 4.6.5` release.\n2. Use a target page that has at least one archived revision. Any page with revision history is sufficient.\n3. Confirm the victim has the rights needed to reach the vulnerable sink:\n - The victim must have `read` access to the page.\n - The victim must have `write` access to the page.\n - On the default validation install, these rights were available anonymously on public pages such as `PagePrincipale`, so no login was required in that configuration.\n4. Identify the timestamp of an archived revision. In the validated setup, an archived `PagePrincipale` revision existed at `2026-05-24 04:30:00`.\n5. Send the victim a crafted URL that starts with that valid archived revision timestamp and then appends an attribute-breaking payload:\n\n```text\nhttp://127.0.0.1:8085/PagePrincipale?time=2026-05-24%2004:30:00%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cinput%20value=%22\n```\n\n6. Open the URL in a browser as a victim who has the required `read` and `write` rights.\n7. Observe that YesWiki still loads the archived revision view and displays the archived-revision warning block, proving the malformed `time` value matched the stored archived revision.\n8. Inspect the returned HTML. The response contains the injected payload inside the hidden form field:\n\n```html\n\u003cinput type=\"hidden\" name=\"time\" value=\"2026-05-24 04:30:00\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003cinput value=\"\" /\u003e\n```\n\n9. The browser executes the injected JavaScript in the YesWiki origin. A simple payload such as `alert(1)` demonstrates code execution; a real payload could read browser-accessible data or perform actions in the victim\u0027s session.\n\n\u003cimg width=\"1600\" height=\"829\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d0b85a7c-2213-4459-908c-969934f06358\" /\u003e\n\n### Impact\nThis is a **reflected XSS** vulnerability in the archived-revision workflow.\n\nThe practical access model is:\n\n- The attacker only needs to send a crafted link.\n- The victim must have `read` and `write` access to the target page.\n- The target page must have at least one archived revision.\n- On deployments where anonymous visitors can edit public pages, the issue can be exploited against unauthenticated visitors as well.\n\nAn attacker may be able to:\n\n- Execute arbitrary JavaScript in the victim\u0027s browser.\n- Steal browser-accessible sensitive data.\n- Perform actions as the victim inside YesWiki.\n- Abuse the trusted YesWiki origin for phishing, UI redressing, or follow-on attacks.",
"id": "GHSA-35f3-pg38-486f",
"modified": "2026-07-09T21:00:55Z",
"published": "2026-07-09T21:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-35f3-pg38-486f"
},
{
"type": "WEB",
"url": "https://github.com/YesWiki/yeswiki/commit/35ad9c2bb6cd338198b37c1f745e24bc302a3560"
},
{
"type": "PACKAGE",
"url": "https://github.com/YesWiki/yeswiki"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.