Wiki Js
CVE-2020-4052
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.
AnalysisAI
In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107. Affected products include: Requarks Wiki.Js. Version information: before 2.4.107.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Authentication Bypass Using an Alternate Path or Channel in GitHub repository requarks/wiki prior to 2.5.281. Rated high
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged
Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo
Wiki.js is a wiki app built on node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo
Wiki.js an open-source wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely explo
Wiki.js is a wiki app built on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
In Wiki.js before version 2.5.151, directory traversal outside of Wiki.js context is possible when a storage module with
Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, lo
Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, lo
In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. R
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. Rated medium severity (CVSS 4.8), this vulnerabi
Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. Rated critical s
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today