CVE-2021-43856
📋 TL;DR
Wiki.js versions 2.5.263 and earlier are vulnerable to stored cross-site scripting (XSS) through malicious non-image file uploads. An authenticated attacker can upload files like XML that execute JavaScript when viewed directly in browsers, potentially compromising other users' sessions. This affects all Wiki.js instances with file upload functionality enabled.
💻 Affected Systems
- Wiki.js
📦 What is this software?
Wiki.js by Requarks
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, potentially leading to full account compromise.
Likely Case
Authenticated malicious users could target other users who view uploaded files, leading to session hijacking or limited account takeover within the wiki.
If Mitigated
With proper controls, impact is limited to isolated incidents affecting only users who manually open suspicious files.
🎯 Exploit Status
Exploitation requires authenticated user with file upload permissions. Attack is stored XSS triggered when victims open malicious files directly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.264
Vendor Advisory: https://github.com/Requarks/wiki/security/advisories/GHSA-rhpf-929m-7fm2
Restart Required: Yes
Instructions:
1. Backup your Wiki.js instance. 2. Update to version 2.5.264 or later via npm: 'npm update wiki.js'. 3. Restart the Wiki.js service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable file uploads for untrusted users
allRemove file upload permissions from users who don't absolutely need them.
Edit user permissions in Wiki.js admin panel to disable 'Upload Files' permission
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Configure web application firewall (WAF) rules to detect and block malicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check Wiki.js version in admin panel or via 'npm list wiki.js' command. Versions ≤2.5.263 are vulnerable.Check Version:
npm list wiki.js | grep wiki.jsVerify Fix Applied:
Confirm version is ≥2.5.264 and test that non-image files download instead of displaying inline.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads (especially XML, SVG, HTML files)
- Multiple failed file upload attempts
- User accounts accessing unusual file types
Network Indicators:
- HTTP requests for non-image files with suspicious content types
- File uploads containing script tags or JavaScript
SIEM Query:
source="wiki.js" AND (event="file_upload" OR event="file_access") AND file_type IN ("xml", "svg", "html")🔗 References
- https://github.com/Requarks/wiki/commit/79bdd4409316adf649806de3e22352297f85cee0
- https://github.com/Requarks/wiki/releases/tag/2.5.264
- https://github.com/Requarks/wiki/security/advisories/GHSA-rhpf-929m-7fm2
- https://github.com/Requarks/wiki/commit/79bdd4409316adf649806de3e22352297f85cee0
- https://github.com/Requarks/wiki/releases/tag/2.5.264
- https://github.com/Requarks/wiki/security/advisories/GHSA-rhpf-929m-7fm2
