CVE-2021-25993
MEDIUM WAF: High
CVSS 5.4
Published: 2021-12-29
CWE-79 CWE-79
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.
WAF Coverage Analysis
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| requarks | wiki.js | 2.0.1 - 2.5.255 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
| requarks | wiki.js | 2.0.0 |
References
- github.com (Patch, Third Party Advisory)
- www.whitesourcesoftware.com (Exploit, Third Party Advisory)