CVE-2021-25993 : Security Advisory and Response

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by a Stored XSS vulnerability, enabling low-privileged users to execute malicious JavaScript by uploading a SVG file, potentially leading to account takeover.

Understanding CVE-2021-25993

This CVE affects Requarks wiki.js versions 2.0.0-beta.147 to 2.5.255 due to a stored XSS vulnerability, allowing attackers to perform malicious actions through uploaded assets.

What is CVE-2021-25993?

It is a Stored Cross-Site Scripting (XSS) vulnerability in Requarks wiki.js versions 2.0.0-beta.147 to 2.5.255 that permits users to upload malicious JavaScript code via SVG files, leading to potential account takeovers.

The Impact of CVE-2021-25993

The vulnerability poses a medium threat, with a CVSS base score of 5.4. Attackers could exploit this flaw to obtain JWT tokens and compromise victim accounts.

Technical Details of CVE-2021-25993

This section provides detailed technical information about the vulnerability.

Vulnerability Description

In versions 2.0.0-beta.147 to 2.5.255 of Requarks wiki.js, a low-privileged editor user can upload a SVG file containing malicious JavaScript code, allowing the extraction of JWT tokens and potential account takeovers.

Affected Systems and Versions

Requarks wiki.js versions 2.0.0-beta.147 to 2.5.255 are affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit this vulnerability by uploading a crafted SVG file containing malicious JavaScript while managing assets on the page.

Mitigation and Prevention

Protect your system from CVE-2021-25993 using the following strategies.

Immediate Steps to Take

Update Requarks wiki.js to version 2.5.260 or later to mitigate the risk of this vulnerability.

Long-Term Security Practices

Implement strict asset upload policies and user permissions to prevent unauthorized uploads.

Patching and Updates

Regularly update your wiki.js software to the latest version to address security vulnerabilities promptly.