Vulnerability Details CVE-2020-4052
In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.2%
CVSS Severity
CVSS v3 Score 6.3
CVSS v2 Score 4.3
References
- https://github.com/Requarks/wiki/commit/9e08718ee904046f8b2294ef6ac79e8a75a451e3
- https://github.com/Requarks/wiki/security/advisories/GHSA-9jgg-4xj2-vjjj
- https://github.com/Requarks/wiki/commit/9e08718ee904046f8b2294ef6ac79e8a75a451e3
- https://github.com/Requarks/wiki/security/advisories/GHSA-9jgg-4xj2-vjjj
Products affected by CVE-2020-4052
-
cpe:2.3:a:requarks:wiki.js:-
-
cpe:2.3:a:requarks:wiki.js:1.0
-
cpe:2.3:a:requarks:wiki.js:1.0.0
-
cpe:2.3:a:requarks:wiki.js:1.0.1
-
cpe:2.3:a:requarks:wiki.js:1.0.10
-
cpe:2.3:a:requarks:wiki.js:1.0.102
-
cpe:2.3:a:requarks:wiki.js:1.0.11
-
cpe:2.3:a:requarks:wiki.js:1.0.12
-
cpe:2.3:a:requarks:wiki.js:1.0.3
-
cpe:2.3:a:requarks:wiki.js:1.0.4
-
cpe:2.3:a:requarks:wiki.js:1.0.5
-
cpe:2.3:a:requarks:wiki.js:1.0.6
-
cpe:2.3:a:requarks:wiki.js:1.0.66
-
cpe:2.3:a:requarks:wiki.js:1.0.68
-
cpe:2.3:a:requarks:wiki.js:1.0.7
-
cpe:2.3:a:requarks:wiki.js:1.0.76
-
cpe:2.3:a:requarks:wiki.js:1.0.78
-
cpe:2.3:a:requarks:wiki.js:1.0.8
-
cpe:2.3:a:requarks:wiki.js:1.0.9
-
cpe:2.3:a:requarks:wiki.js:2.0.0
-
cpe:2.3:a:requarks:wiki.js:2.0.1
-
cpe:2.3:a:requarks:wiki.js:2.0.12
-
cpe:2.3:a:requarks:wiki.js:2.1.113
-
cpe:2.3:a:requarks:wiki.js:2.2.50
-
cpe:2.3:a:requarks:wiki.js:2.2.51
-
cpe:2.3:a:requarks:wiki.js:2.3.71
-
cpe:2.3:a:requarks:wiki.js:2.3.72
-
cpe:2.3:a:requarks:wiki.js:2.3.77
-
cpe:2.3:a:requarks:wiki.js:2.3.81
-
cpe:2.3:a:requarks:wiki.js:2.4.105
-
cpe:2.3:a:requarks:wiki.js:2.4.75