Skip to main content

Wiki Js CVE-2020-11051

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-05-05 security-advisories@github.com
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
May 05, 2020 - 21:15 nvd
MEDIUM 4.8

DescriptionNVD

In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81.

AnalysisAI

In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81. Affected products include: Requarks Wiki.Js. Version information: before 2.3.81.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2022-1681 HIGH POC
7.2 May 12

Authentication Bypass Using an Alternate Path or Channel in GitHub repository requarks/wiki prior to 2.5.281. Rated high

CVE-2021-25993 MEDIUM POC
5.4 Dec 29

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged

CVE-2021-43856 MEDIUM POC
5.4 Dec 27

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo

CVE-2021-43855 MEDIUM POC
5.4 Dec 27

Wiki.js is a wiki app built on node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo

CVE-2021-21383 MEDIUM POC
5.4 Mar 18

Wiki.js an open-source wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo

CVE-2021-43800 HIGH
7.5 Dec 06

Wiki.js is a wiki app built on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2020-15236 HIGH
7.5 Oct 05

In Wiki.js before version 2.5.151, directory traversal outside of Wiki.js context is possible when a storage module with

CVE-2022-23654 MEDIUM
6.5 Feb 22

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, lo

CVE-2020-4052 MEDIUM
6.1 Jun 16

In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. Rated medium severity (CVS

CVE-2021-43842 MEDIUM
5.4 Dec 20

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo

CVE-2020-15274 MEDIUM
5.4 Oct 26

In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. R

CVE-2025-56643 CRITICAL
9.1 Nov 18

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. Rated critical s

Share

CVE-2020-11051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy