Impact
Wiki.js 2.5.257 and earlier is vulnerable to stored cross-site scripting through a SVG file upload.
By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal <img> tags.
Patches
Commit 5d3e814 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type.
Workarounds
Disable file upload for all non-trusted users.
Thanks to WhiteSource for reporting this vulnerability.
Impact
Wiki.js 2.5.257 and earlier is vulnerable to stored cross-site scripting through a SVG file upload.
By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal
<img>tags.Patches
Commit 5d3e814 fixes this vulnerability by adding an optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type.
Workarounds
Disable file upload for all non-trusted users.
Thanks to WhiteSource for reporting this vulnerability.