CVE-2020-4052
6.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Requarks.io | Wiki.js | < 2.4.107 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Requarks/wiki/security/advisories/GHSA-9jgg-4xj2-vjjj
- https://github.com/Requarks/wiki/commit/9e08718ee904046f8b2294ef6ac79e8a75a451e3
References
- https://github.com/Requarks/wiki/security/advisories/GHSA-9jgg-4xj2-vjjj
- https://github.com/Requarks/wiki/commit/9e08718ee904046f8b2294ef6ac79e8a75a451e3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.