CVE-2021-25993

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attackers server and will lead to account takeover when accessed by the victim.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
MendCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
requarkswiki.js
2.0.1 ≤
𝑥
≤ 2.5.255
requarkswiki.js
2.0.0:beta147
requarkswiki.js
2.0.0:beta148
requarkswiki.js
2.0.0:beta174
requarkswiki.js
2.0.0:beta180
requarkswiki.js
2.0.0:beta203
requarkswiki.js
2.0.0:beta208
requarkswiki.js
2.0.0:beta230
requarkswiki.js
2.0.0:beta241
requarkswiki.js
2.0.0:beta267
requarkswiki.js
2.0.0:beta268
requarkswiki.js
2.0.0:beta275
requarkswiki.js
2.0.0:beta303
requarkswiki.js
2.0.0:rc1
requarkswiki.js
2.0.0:rc17
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Requarks/wiki/commit/5d3e81496fba1f0fbd64eeb855f30f69a9040718
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25993
https://github.com/Requarks/wiki/commit/5d3e81496fba1f0fbd64eeb855f30f69a9040718
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25993