CVE-2020-4052 MEDIUM

CVE-2020-4052: Stored XSS through template injection in Wiki.js

Vendor Requarks.io
Product Wiki.js
Weakness CWE-79 · XSS
Published June 16, 2020
Last update August 4, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.

Key dates

02Disclosure timeline

June 16, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE