CVE-2021-43856

Name of the Vulnerable Software and Affected Versions: Wiki.js versions 2.5.263 and earlier

Description: The issue concerns stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed in the browser, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the file is viewed directly by other users. The file must be opened directly by the user and will not trigger directly in a normal Wiki.js page.

Recommendations: For Wiki.js versions 2.5.263 and earlier, update to version 2.5.264 or later, which adds an optional force download flag to all non-image file types, preventing the file from being viewed inline in the browser. As a temporary workaround, consider disabling file upload for all non-trusted users to minimize the risk of exploitation.