Cross-Site Request Forgery (CSRF) in yeswiki/yeswiki


Reported on

Dec 6th 2021


Hey all,

so i found that YesWiki doesn't implement any sort of anti-csrf mechanism, i found that the change email function is vulnerable to CSRF attacks which leads to Account Takeover.

Proof of Concept

    <form method="POST" action="">
      <input type="hidden" name="usersettings_action" value="update"/>
      <input type="hidden" name="email" value=""/>
      <input type="hidden" name="revisioncount" value="20"/>
      <input type="submit" value="Submit">

Exploitation Scenario:

  • An attacker sends the above PoC to the victim.

  • rather than submit, the autosubmit attribute could be implemented, so the victim's email will be changed and he will be redirected to a third site.

  • an attacker now will reset his password via the changed email and he will be able to takeover the account.

NOTE: the attack could be applied to the admin account user which could be harmful to other users leading to compromise their confidentiality, integrity and availability.

Remediation Actions:

Implementing a anti-csrf AND/OR anti-csrf header with server-side checks should be sufficient to resolve the root cause of the issue.


Taking over user accounts.

Best Regards,


We are processing your report and will contact the yeswiki team within 24 hours. a year ago
Moad Akhraz
a year ago


hey @maintainer, we can work on a fix if you want, please ping me using @researcher.



We have contacted a member of the yeswiki team and are waiting to hear back a year ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. a year ago
Jérémy Dufraisse validated this vulnerability a year ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Moad Akhraz
a year ago


Hey @admin, i think that a CSRF that leads to Account Takeover deserves more than $5 ??

Jamie Slome
a year ago


Hello @mdakh404, I would recommend creating an issue on our public roadmap where you can share your thoughts!

Moad Akhraz
a year ago


Hello @j9rem, can you please deploy a fix for this one ?

Jérémy Dufraisse marked this as fixed in doryphore-2022-02-14-16 with commit f72309 a year ago
Jérémy Dufraisse has been awarded the fix bounty
This vulnerability will not receive a CVE
usersettings.php#L119-L127 has been validated
to join this conversation