Wiki.js@* Security Vulnerabilities and Issues — Wiki.js@* CVE List

Lucene search

RequarksWiki.js*

14 matches found

CVE•added 2022/02/22 8:15 p.m.•153 views

CVE-2022-23654

Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access ...

8.1CVSS6.8AI score0.00256EPSS

CVE•added 2022/05/12 8:15 a.m.•74 views

CVE-2022-1681

Authentication Bypass Using an Alternate Path or Channel in GitHub repository requarks/wiki prior to 2.5.281. User can get root user permissions

9CVSS7.1AI score0.00268EPSS

CVE•added 2024/05/20 10:15 p.m.•69 views

CVE-2024-34710

Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of...

7.1CVSS6.7AI score0.00172EPSS

CVE•added 2021/12/27 6:15 p.m.•59 views

CVE-2021-43856

Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed in the browser (e.g....

8.2CVSS5.7AI score0.00425EPSS

CVE•added 2020/05/05 9:15 p.m.•58 views

CVE-2020-11051

In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be ...

6.9CVSS5.1AI score0.00323EPSS

CVE•added 2021/12/20 11:15 p.m.•57 views

CVE-2021-43842

Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and earlier are vulnerable to stored cross-site scripting through a SVG file upload. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute maliciou...

5.4CVSS5.3AI score0.00263EPSS

CVE•added 2021/12/29 5:15 p.m.•49 views

CVE-2021-25993

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to...

5.4CVSS5.2AI score0.00206EPSS

CVE•added 2020/06/16 10:15 p.m.•43 views

CVE-2020-4052

In Wiki.js before 2.4.107, there is a stored cross-site scripting through template injection. This vulnerability exists due to an insecure validation mechanism intended to insert v-pre tags into rendered HTML elements which contain curly-braces. By creating a crafted wiki page, a malicious Wiki.js ...

6.3CVSS6.1AI score0.0024EPSS

CVE•added 2020/10/05 3:15 p.m.•39 views

CVE-2020-15236

In Wiki.js before version 2.5.151, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled. A malicious user can potentially read any file on the file system by crafting a special URL that allows for directory traversal. This is on...

8.6CVSS7.6AI score0.0047EPSS

CVE•added 2021/12/27 6:15 p.m.•38 views

CVE-2021-43855

Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through a SVG file upload made via a custom request with a fake MIME type. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This a...

8.2CVSS5.7AI score0.00361EPSS

CVE•added 2024/09/18 5:15 p.m.•33 views

CVE-2024-45298

Wiki.js is an open source wiki app built on Node.js. A disabled user can still gain access to a wiki by abusing the password reset function. While setting up SMTP e-mail's on my server, I tested said e-mails by performing a password reset with my test user. To my shock, not only did it let me reset...

4.3CVSS4.7AI score0.00015EPSS

CVE•added 2021/03/18 5:15 p.m.•31 views

CVE-2021-21383

Wiki.js an open-source wiki app built on Node.js. Wiki.js before version 2.5.191 is vulnerable to stored cross-site scripting through mustache expressions in code blocks. This vulnerability exists due to mustache expressions being parsed by Vue during content injection even though it is contained w...

7.6CVSS5.7AI score0.00263EPSS

CVE•added 2021/12/06 7:15 p.m.•31 views

CVE-2021-43800

Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled on a Windows host. A malicious user can potentially read any file on the file system by crafting a special UR...

7.5CVSS7.4AI score0.00353EPSS

CVE•added 2020/10/26 7:15 p.m.•23 views

CVE-2020-15274

In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433d...

5.8CVSS5.3AI score0.0059EPSS