CVE-2021-25993 is a stored Cross-site Scripting (XSS) vulnerability identified in Requarks wiki.js, specifically affecting versions from 2.0.0-beta.147 up to 2.5.255. The vulnerability arises when a low-privileged user with editor rights uploads an SVG file as an asset to a wiki page. SVG files can contain embedded JavaScript, and in this case, the application fails to properly sanitize or validate the SVG content before storing and rendering it. This allows the malicious JavaScript embedded within the SVG to execute in the context of other users viewing the page, including those with higher privileges. The exploit involves the malicious script sending the victim's JSON Web Tokens (JWT) to an attacker-controlled server. JWT tokens are commonly used for authentication and session management, so their theft can lead to account takeover, compromising user confidentiality and integrity. The vulnerability requires the attacker to have editor-level access to upload the malicious SVG, and the victim must interact with the infected page for the exploit to succeed. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges and user interaction, with partial confidentiality and integrity impact but no availability impact. No known exploits in the wild have been reported to date. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. No official patches or fixes are linked in the provided data, indicating that mitigation may rely on configuration changes or updates from the vendor. This vulnerability is significant because it leverages a trusted user role (editor) to inject malicious content, which can bypass typical perimeter defenses and affect authenticated users, potentially including administrators.

For European organizations using Requarks wiki.js versions 2.0.0-beta.147 to 2.5.255, this vulnerability poses a risk of account compromise through token theft, which can lead to unauthorized access to sensitive internal documentation and collaboration platforms. The impact is particularly critical for organizations relying on wiki.js for knowledge management, internal communications, or documentation of sensitive processes, including government agencies, financial institutions, and critical infrastructure operators. Compromise of JWT tokens can allow attackers to impersonate users, escalate privileges, and exfiltrate confidential information, undermining data confidentiality and integrity. Since the vulnerability requires editor-level access, insider threats or compromised low-privilege accounts could be leveraged to exploit this flaw. The stored XSS nature means that multiple users can be affected once the malicious SVG is uploaded. This can lead to widespread session hijacking and persistent compromise within the affected environment. Given the collaborative nature of wiki.js, the attack surface includes all users who access the infected pages, increasing the potential scope of impact. Although no availability impact is noted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving unauthorized access can be significant for European entities.

1. Upgrade wiki.js to a version beyond 2.5.255 where this vulnerability is patched, or apply any vendor-provided security updates as soon as they become available. 2. Implement strict validation and sanitization of SVG files before allowing upload, including stripping or disabling embedded scripts within SVG assets. 3. Restrict editor privileges to trusted users only and enforce the principle of least privilege to minimize the risk of malicious uploads. 4. Monitor asset uploads for anomalous SVG files and implement file integrity checks or scanning with security tools capable of detecting embedded scripts. 5. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 6. Educate users about the risks of interacting with untrusted content and encourage reporting of suspicious wiki pages. 7. Regularly audit JWT token usage and implement short token lifetimes with refresh mechanisms to limit the window of token misuse. 8. Consider implementing multi-factor authentication (MFA) to reduce the risk of account takeover even if tokens are compromised. 9. Use web application firewalls (WAF) with custom rules to detect and block malicious SVG payloads or suspicious requests related to asset uploads. 10. Conduct periodic security assessments and penetration testing focused on wiki.js deployments to identify and remediate similar vulnerabilities proactively.