In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the page is viewed by other users. This has been patched in 2.4.107.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-06-16T21:55:15

Updated: 2024-08-04T07:52:20.875Z

Reserved: 2019-12-30T00:00:00

Link: CVE-2020-4052

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-06-16T22:15:10.503

Modified: 2024-11-21T05:32:13.803

Link: CVE-2020-4052

cve-icon Redhat

No data.