Vulnerability Details : CVE-2021-43856
Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed in the browser (e.g. XML files), a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the file is viewed directly by other users. The file must be opened directly by the user and will not trigger directly in a normal Wiki.js page. A patch in version 2.5.264 fixes this vulnerability by adding an optional (enabled by default) force download flag to all non-image file types, preventing the file from being viewed inline in the browser. As a workaround, disable file upload for all non-trusted users. --- Thanks to @Haxatron for reporting this vulnerability. Initially reported via https://huntr.dev/bounties/266bff09-00d9-43ca-a4bb-bb540642811f/
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-43856
- cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-43856
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-43856
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
2.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2021-43856
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-43856
-
https://github.com/Requarks/wiki/commit/79bdd4409316adf649806de3e22352297f85cee0
fix: force download of unsafe extensions · Requarks/wiki@79bdd44 · GitHubPatch;Third Party Advisory
-
https://github.com/Requarks/wiki/releases/tag/2.5.264
Release 2.5.264 · Requarks/wiki · GitHubRelease Notes;Third Party Advisory
-
https://github.com/Requarks/wiki/security/advisories/GHSA-rhpf-929m-7fm2
Stored XSS in non-image uploads when viewed inline in browser · Advisory · Requarks/wiki · GitHubExploit;Patch;Third Party Advisory
Jump to