CVE-2024-34710

EPSS 0.3%
Veröffentlicht 20.05.2024 22:15:08
Zuletzt bearbeitet 21.11.2024 09:19:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerrequarks

≫

Produkt wiki.js

Default Statusunknown

Version <= 2.5.302

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.53

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac

https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf

https://nvd.nist.gov/vuln/detail/CVE-2024-34710

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-34710

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-34710

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-34710