Vulnerability Details CVE-2021-25986
In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.7%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://github.com/django-wiki/django-wiki/commit/9eaccc7519e4206a4d2f22640882f0737b2da9c5
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25986
- https://github.com/django-wiki/django-wiki/commit/9eaccc7519e4206a4d2f22640882f0737b2da9c5
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25986
Products affected by CVE-2021-25986
-
cpe:2.3:a:django-wiki_project:django-wiki:*