CVE-2021-43855 : What You Need to Know

Wiki.js 2.5.263 and earlier versions are susceptible to stored cross-site scripting (XSS) via SVG file upload. The vulnerability allows attackers to execute malicious JavaScript code when other users view the SVG files directly.

Understanding CVE-2021-43855

What is CVE-2021-43855?

Wiki.js, a node.js-based wiki app, has a stored cross-site scripting vulnerability in versions prior to 2.5.264. This flaw enables an attacker to embed malicious scripts within SVG files, triggering XSS attacks when viewed directly.

The Impact of CVE-2021-43855

The vulnerability has a CVSS base score of 8.2 (High severity). Exploitation requires user interaction. Attack vectors are through network access, affecting confidentiality and integrity.

Technical Details of CVE-2021-43855

Vulnerability Description

The flaw allows malicious users to upload crafted SVG files with fake MIME types, leading to stored XSS attacks. Only direct SVG views trigger script execution, not when loaded via normal <img> tags.

Affected Systems and Versions

Product: Wiki
Vendor: Requarks
Vulnerable Versions: < 2.5.264

Exploitation Mechanism

Attacker crafts SVG file with fake MIME type
Uploads SVG via custom request

Mitigation and Prevention

Immediate Steps to Take

Apply the patch in version 2.5.264
Disable file uploads for untrusted users

Long-Term Security Practices

Regularly update Wiki.js to the latest versions
Educate users on safe file upload practices

Patching and Updates

For patching details and updates, refer to the GitHub links provided.