CVE-2024-51478

YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc	Patch
https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7	Patch
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*

History

09 May 2025, 14:06

Type	Values Removed	Values Added
Summary		(es) YesWiki es un sistema wiki escrito en PHP. Antes de la versión 4.4.5, el uso de un algoritmo criptográfico débil y una sal codificada de forma rígida para codificar la clave de restablecimiento de contraseña permite recuperarla y usarla para restablecer la contraseña de cualquier cuenta. Este problema se solucionó en la versión 4.4.5.
First Time		Yeswiki Yeswiki yeswiki
CPE		cpe:2.3:a:yeswiki:yeswiki::::::::
References	~~() https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc -~~	() https://github.com/YesWiki/yeswiki/commit/b5a8f93b87720d5d5f033a4b3a131ce0fb621dbc - Patch
References	~~() https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7 -~~	() https://github.com/YesWiki/yeswiki/commit/e1285709f6f6a2277bd0075acf369f33cefd78f7 - Patch
References	~~() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3 -~~	() https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4fvx-h823-38v3 - Exploit, Vendor Advisory

31 Oct 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-31 17:15

Updated : 2025-05-09 14:06

NVD link : CVE-2024-51478

Mitre link : CVE-2024-51478

CVE.ORG link : CVE-2024-51478

JSON object : View

Products Affected

yeswiki

yeswiki

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

9.9 /10