Login Sign Up

CVE-2021-21383

7.6 HIGH
Cross-Site Scripting

📋 TL;DR

Wiki.js versions before 2.5.191 are vulnerable to stored cross-site scripting (XSS) through mustache expressions in code blocks. Malicious users can create crafted wiki pages that execute JavaScript when viewed by other users, potentially compromising their accounts or sessions. This affects all Wiki.js deployments running vulnerable versions.

💻 Affected Systems

Products:
  • Wiki.js
Versions: All versions before 2.5.191
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with user edit permissions are vulnerable. The vulnerability requires users to have permission to create or edit wiki pages.

📦 What is this software?

Wiki.js by Requarks

View all CVEs affecting Wiki.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface wiki content, or redirect users to malicious sites, potentially leading to full account compromise.

🟠

Likely Case

Malicious users with edit permissions inject JavaScript that executes when other users view pages, potentially stealing session tokens or performing unauthorized actions.

🟢

If Mitigated

With proper user permission controls and content sanitization, impact is limited to users with edit access abusing their privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with edit permissions. Example exploit code is available in the GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.191

Vendor Advisory: https://github.com/Requarks/wiki/security/advisories/GHSA-6xx4-m8gx-826r

Restart Required: Yes

Instructions:

1. Backup your Wiki.js instance. 2. Update to version 2.5.191 or later using npm: 'npm update wiki.js'. 3. Restart the Wiki.js service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable user content editing

all

Temporarily restrict or disable user permissions to create/edit wiki pages until patching is complete.

Content sanitization filter

all

Implement server-side filtering to strip or escape mustache expressions in code blocks.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to limit script execution
  • Review and audit all user-created content for suspicious mustache expressions

🔍 How to Verify

Check if Vulnerable:

Check Wiki.js version in admin panel or run 'npm list wiki.js' to see if version is below 2.5.191.

Check Version:

npm list wiki.js | grep wiki.js

Verify Fix Applied:

Verify version is 2.5.191 or higher and test that mustache expressions in code blocks no longer execute as JavaScript.

📡 Detection & Monitoring

Log Indicators:

  • Unusual page edit patterns
  • Multiple failed login attempts followed by successful edits
  • Administrative actions from unexpected user accounts

Network Indicators:

  • Unexpected outbound connections from wiki server after page views
  • Suspicious JavaScript payloads in HTTP requests

SIEM Query:

source="wiki.js" AND (event="page_edit" OR event="page_create") AND content CONTAINS "{{"

📊 Metadata

CVE ID: CVE-2021-21383
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
CWE: CWE-79
Published: March 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21383, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)