CVE-2021-25993

Name of the Vulnerable Software and Affected Versions wiki.js versions 2.0.0-beta.147 through 2.5.255

Description The issue allows a low-privileged user, specifically an editor, to upload a malicious SVG file containing JavaScript code while adding assets to a page. This leads to a Stored XSS vulnerability, where the malicious code can capture and send JWT tokens to an attacker's server, potentially resulting in account takeover when the victim accesses the compromised page.

Recommendations For versions 2.0.0-beta.147 through 2.5.255, consider disabling the asset upload feature for low-privileged users until a patch is available to prevent the exploitation of this vulnerability. Restrict access to the page editing functionality to minimize the risk of malicious SVG file uploads. Avoid using the JWT token-based authentication mechanism in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.