CVE-2024-34710: Wiki.js Vulnerability Exposes Users to Potential Account Takeover
Wiki.js, a popular open-source wiki engine, has patched a critical security vulnerability that could have allowed attackers to inject malicious code and potentially compromise user accounts, including those with elevated privileges. The vulnerability, designated CVE-2024-34710, poses a serious risk due to its potential for stored cross-site scripting (XSS) attacks, having a CVSS score of 7.1.
Wiki.js is a robust, open-source wiki engine built on Node.js and written in JavaScript. It offers a user-friendly platform for creating and managing collaborative knowledge bases, documentation, or any information repository. With over 50,000 downloads and more than 23.6k stars on GitHub, Wiki.js is a trusted tool for many developers and organizations.
The vulnerability stems from a flaw in the client-side template injection mechanism, allowing an attacker to inject malicious JavaScript into the content section of Wiki.js pages. This malicious code executes whenever a victim loads the compromised page, leading to potential exploitation.
The root cause of this vulnerability lies in the improper handling of mustache expressions within Wiki.js. These expressions are escaped before the dom-purify
module processes them, resulting in the removal of invalid HTML tags. Consequently, the mustache expressions are no longer escaped, enabling the injection of malicious code.
An attacker could exploit this vulnerability by injecting an invalid HTML tag followed by a template payload, as shown in the example below:
When a victim loads a page containing this payload, the injected JavaScript executes in the context of the victim’s browser.
The Wiki.js development team has promptly addressed the CVE-2024-34710 vulnerability, releasing a patch in version 2.5.303. Users and administrators are strongly encouraged to update to this latest version to protect their installations from potential exploits.