CVE-2020-11051

Name of the Vulnerable Software and Affected Versions Wiki.js versions prior to 2.3.81

Description The issue is related to a stored XSS in the Markdown editor. An editor with write access to a page can inject an XSS payload into the content using the Markdown editor. If another editor with write access loads the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. However, the rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This issue only impacts editors loading the malicious page in the Markdown editor.

Recommendations For versions prior to 2.3.81, update to version 2.3.81 to resolve the issue. As a temporary workaround, consider restricting access to the Markdown editor for users with write access to prevent potential exploitation.