{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki-4.6.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["YesWiki 4.6.5"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability","yeswiki","ghsa"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eA critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) has been identified in YesWiki versions up to and including 4.6.5, affecting its \u003ccode\u003eApiController::deletePage()\u003c/code\u003e API endpoint. This flaw allows a low-privilege authenticated attacker to execute arbitrary SQL commands within the wiki's database, leading to potential data exfiltration. The vulnerability occurs because the application, while correctly escaping SQL metacharacters upon initial insertion of a page tag (e.g., \u003ccode\u003eSleepTag' OR SLEEP(2)-- \u003c/code\u003e) into the \u003ccode\u003eyeswiki_pages\u003c/code\u003e table, fails to re-escape this stored, attacker-controlled tag when it's later retrieved and used in a \u003ccode\u003eDELETE FROM ..._links WHERE to_tag = '$tag'\u003c/code\u003e query. This second-order behavior bypasses typical input validation and enables time-based blind data exfiltration of sensitive information like user credentials, private page content, and other database records. The issue is exposed via the \u003ccode\u003eDELETE /api/pages/{tag}\u003c/code\u003e route, which is accessible to any authenticated user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: A low-privilege authenticated user gains access to a YesWiki instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Page Creation\u003c/strong\u003e: The attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/pages/{tag}\u003c/code\u003e with a URL-encoded malicious tag (e.g., \u003ccode\u003eSleepTag%27%20OR%20SLEEP(2)--%20\u003c/code\u003e) containing SQL metacharacters. This tag is stored unescaped in the \u003ccode\u003eyeswiki_pages\u003c/code\u003e database table.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLinker Page Creation\u003c/strong\u003e: The attacker creates a second, benign page, for example, \u003ccode\u003eLinkPoc\u003c/code\u003e, via \u003ccode\u003ePOST /api/pages/LinkPoc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Link\u003c/strong\u003e: The attacker updates the \u003ccode\u003eLinkPoc\u003c/code\u003e page (e.g., via the \u003ccode\u003eLinkPoc/edit\u003c/code\u003e web editor handler) to include a reference to the malicious page using \u003ccode\u003e{{include page=\u0026quot;\u0026lt;evil tag\u0026gt;\u0026quot;}}\u003c/code\u003e. This action causes the application to insert a row into the \u003ccode\u003eyeswiki_links\u003c/code\u003e table, establishing a link to the malicious page and storing its raw, unescaped tag as \u003ccode\u003eto_tag\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger\u003c/strong\u003e: The attacker sends a \u003ccode\u003eDELETE\u003c/code\u003e request to \u003ccode\u003e/api/pages/{evil-tag}\u003c/code\u003e for the malicious page. The \u003ccode\u003eDELETE\u003c/code\u003e request targets the same URL-encoded malicious tag as created in step 2.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSQL Injection Execution\u003c/strong\u003e: During the deletion process, the YesWiki application retrieves the stored malicious tag from the database and uses it unescaped in an SQL query like \u003ccode\u003eDELETE FROM yeswiki_links WHERE to_tag = '$tag'\u003c/code\u003e. The injected SQL (e.g., \u003ccode\u003eOR SLEEP(2)-- \u003c/code\u003e) is then executed within the database.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: By varying the injected SQL payload, such as using conditional \u003ccode\u003eSLEEP()\u003c/code\u003e statements, the attacker can perform time-based blind data exfiltration of sensitive information from any accessible database table.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to time-based blind exfiltration of sensitive data from the YesWiki database. This includes highly sensitive information such as user password hashes (\u003ccode\u003e_users.password\u003c/code\u003e), email addresses, Access Control List (ACL) configurations (\u003ccode\u003e_acls.list\u003c/code\u003e), private page bodies (\u003ccode\u003e_pages.body\u003c/code\u003e), and database session data. Given the \u0026quot;acl:+\u0026quot; access control, any authenticated user, regardless of their privilege level, can initiate this attack. The impact can range from unauthorized disclosure of user data to full compromise of the wiki's content and user base.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eImmediately patch YesWiki installations to the latest version to address GHSA-8f2v-2qhj-gfwg.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetect YesWiki SQLi Attempt via URL-encoded Single Quote\u003c/code\u003e Sigma rule to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive webserver logging (e.g., access logs) for the \u003ccode\u003ewebserver\u003c/code\u003e category to activate the provided Sigma rule.\u003c/li\u003e\n\u003c/ol\u003e\n","date_modified":"2026-07-09T21:09:58Z","date_published":"2026-07-09T21:09:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-second-order-sqli/","summary":"A critical second-order SQL injection vulnerability (GHSA-8f2v-2qhj-gfwg) in YesWiki versions up to 4.6.5 allows a low-privilege authenticated attacker to execute arbitrary SQL commands via an unescaped page tag in the `ApiController::deletePage()` API, leading to time-based blind data exfiltration.","title":"YesWiki Second-Order SQL Injection via Unescaped Page Tag in API Controller","url":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-second-order-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - YesWiki 4.6.5","version":"https://jsonfeed.org/version/1.1"}