CVE-2020-11051

CVSS V2 Low 3.5 CVSS V3 Medium 4.8
Description
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor (with write access as well) load the same page into the Markdown editor, the XSS payload will be executed as part of the preview panel. The rendered result does not contain the XSS payload as it is stripped by the HTML Sanitization security module. This vulnerability only impacts editors loading the malicious page in the Markdown editor. This has been patched in 2.3.81.
Overview
  • CVE ID
  • CVE-2020-11051
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2020-05-05T21:15:11
  • Last Modified Date
  • 2020-05-08T19:38:30
Weakness Enumerations
CWE URL
CWE-79 http://cwe.mitre.org/data/definitions/79.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:requarks:wiki.js:*:*:*:*:*:*:*:* 1 OR 2.3.81
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:S/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 3.5
  • Severity
  • LOW
  • Exploitability Score
  • 6.8
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • REQUIRED
  • Scope
  • CHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 4.8
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 1.7
  • Impact Score
  • 2.7
References
Reference URL Reference Tags
https://github.com/Requarks/wiki/security/advisories/GHSA-vj72-c9vq-qxrv Patch Third Party Advisory
https://github.com/Requarks/wiki/commit/05e8a71ceff39167aee830ba8ad5eb0161f2911a Patch Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2020-11051
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11051
History
Created Old Value New Value Data Type Notes
2022-05-10 17:33:10 Added to TrackCVE
2022-12-04 16:08:04 2020-05-05T21:15Z 2020-05-05T21:15:11 CVE Published Date updated
2022-12-04 16:08:04 2020-05-08T19:38:30 CVE Modified Date updated
2022-12-04 16:08:04 Analyzed Vulnerability Status updated