5.4

CVE-2021-25993

Exploit
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RequarksWiki.Js Version >= 2.0.1 <= 2.5.255
RequarksWiki.Js Version2.0.0 Updatebeta147
RequarksWiki.Js Version2.0.0 Updatebeta148
RequarksWiki.Js Version2.0.0 Updatebeta174
RequarksWiki.Js Version2.0.0 Updatebeta180
RequarksWiki.Js Version2.0.0 Updatebeta203
RequarksWiki.Js Version2.0.0 Updatebeta208
RequarksWiki.Js Version2.0.0 Updatebeta230
RequarksWiki.Js Version2.0.0 Updatebeta241
RequarksWiki.Js Version2.0.0 Updatebeta267
RequarksWiki.Js Version2.0.0 Updatebeta268
RequarksWiki.Js Version2.0.0 Updatebeta275
RequarksWiki.Js Version2.0.0 Updatebeta303
RequarksWiki.Js Version2.0.0 Updaterc1
RequarksWiki.Js Version2.0.0 Updaterc17
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.43
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
vulnerabilitylab@mend.io 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.