SB2021122601 - Multiple vulnerabilities in Wiki.js

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2021-43856)

The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.

The vulnerability exists due to stored cross-site scripting in non-image file uploads when viewing uploaded files inline in the browser. A remote user can upload a specially crafted file to execute arbitrary JavaScript in another user's browser.

The malicious file must be opened directly by the victim and does not trigger from a normal Wiki.js page.

2) Cross-site scripting (CVE-ID: CVE-2021-43855)

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user.

The vulnerability exists due to cross-site scripting in the file upload handling for SVG files when processing a crafted SVG upload sent with a fake MIME type. A remote user can upload a crafted SVG file using a custom request to execute arbitrary JavaScript in the browser of another user.

Scripts execute when the uploaded SVG is viewed directly by other users, but not when it is loaded inside a page via normal tags.

Remediation

Install update from vendor's website.

References

• https://github.com/requarks/wiki/security/advisories/GHSA-rhpf-929m-7fm2
• https://github.com/advisories/GHSA-rhpf-929m-7fm2
• https://github.com/requarks/wiki/security/advisories/GHSA-4893-pj5w-3hq9
• https://github.com/advisories/GHSA-4893-pj5w-3hq9