CVE-2020-15236

Name of the Vulnerable Software and Affected Versions Wiki.js versions prior to 2.5.151

Description A directory traversal issue is possible when a storage module with local asset cache fetching is enabled, allowing a malicious user to read any file on the file system by crafting a special URL. This issue is only exploitable when a storage module implementing local asset cache, such as Local File System or Git, is enabled and no web application firewall solution, like cloudflare, strips potentially malicious URLs.

Recommendations For versions prior to 2.5.151, as a temporary workaround, consider disabling any storage module with local asset caching capabilities, such as Local File System and Git, until a patch is available. Update to version 2.5.151 or later, which includes the fix that sanitizes the path before it is passed on to the storage module, removing any directory traversal sequences and invalid filesystem characters.