Impact
Wiki.js 2.4.105 is vulnerable to stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces.
By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. The following figure shows an example Wiki.js page (using the raw-HTML editor mode) which executed attacker provided JavaScript:
<h1>Title</h1>
<p>Some text here</p> {{constructor.constructor('alert("Wiki.JS Stored XSS")')()}}This vulnerability exists due to template injection text in a top level text element bypassing the protections provided by v-pre.
Patches
Commit 9e08718 fixes this vulnerability by wrapping any text elements at the root level and correctly matching both normal and encoded mustache template characters.
Thanks to @denandz for reporting this vulnerability.
denandz Analyst
Impact
Wiki.js 2.4.105 is vulnerable to stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces.
By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. The following figure shows an example Wiki.js page (using the raw-HTML editor mode) which executed attacker provided JavaScript:
This vulnerability exists due to template injection text in a top level text element bypassing the protections provided by
v-pre.Patches
Commit 9e08718 fixes this vulnerability by wrapping any text elements at the root level and correctly matching both normal and encoded mustache template characters.
Thanks to @denandz for reporting this vulnerability.