CVE-2021-25993 in Wiki.js
Summary
by MITRE • 12/29/2021
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/31/2021
The vulnerability CVE-2021-25993 represents a critical stored cross-site scripting flaw in the wiki.js platform that affects versions ranging from 2.0.0-beta.147 through 2.5.255. This security weakness stems from inadequate input validation and sanitization mechanisms within the asset upload functionality, specifically when processing SVG files. The vulnerability operates through a sophisticated attack vector that leverages the trust placed in user-uploaded content by the application's content management system.
The technical implementation of this vulnerability exploits the fact that wiki.js fails to properly sanitize SVG file uploads, allowing malicious actors with editor privileges to embed malicious JavaScript code within SVG metadata or embedded elements. When such compromised SVG files are uploaded and subsequently accessed by other users, the embedded JavaScript executes in the victim's browser context, enabling the attacker to steal session tokens and other sensitive authentication data. This particular flaw demonstrates a classic stored XSS attack pattern where malicious code is permanently stored on the server and executed whenever the compromised content is viewed.
The operational impact of this vulnerability extends beyond simple data theft, as it creates a persistent backdoor for attackers to maintain access to compromised systems. When victims view pages containing the malicious SVG files, their JWT tokens are automatically exfiltrated to attacker-controlled servers, enabling complete account takeover and persistent access to the wiki platform. This vulnerability directly maps to CWE-79 which describes cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for spearphishing with attachments, as the malicious SVG serves as the delivery mechanism for the payload.
Organizations utilizing wiki.js within this vulnerable range face significant risk of unauthorized access and potential data breaches, as the attack requires minimal privileges to execute successfully. The low-privileged editor role provides sufficient access to exploit this vulnerability, making it particularly concerning for environments where multiple users have editing capabilities. The attack chain involves initial compromise through SVG upload, followed by token harvesting, and ultimately persistent unauthorized access to the platform's administrative functions.
Mitigation strategies should include immediate implementation of proper input validation and sanitization for all uploaded file types, particularly SVG files, along with comprehensive content security policy enforcement. Organizations should implement strict file type validation, sanitize all uploaded content through dedicated libraries, and consider implementing CSP headers to prevent execution of unauthorized scripts. Additionally, privilege escalation should be carefully reviewed to limit the impact of compromised accounts, and regular security audits should be conducted to identify similar vulnerabilities in the application's file handling mechanisms. The vulnerability highlights the importance of implementing proper security controls around user-generated content and demonstrates the critical need for comprehensive input validation at all levels of application processing.