CVE-2024-42758 identifies a stored Cross-site Scripting (XSS) vulnerability in the indexmenu plugin version v2024-01-05 for Dokuwiki, an open-source wiki engine widely used for collaborative documentation. The vulnerability arises because the plugin does not properly sanitize user input when creating or editing pages. Malicious actors can inject JavaScript payloads that are stored persistently in the .txt files Dokuwiki uses to save page content. When other users view the affected pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deliver further payloads. The vulnerability has a CVSS 3.1 base score of 5.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring no privileges but some user interaction (viewing the page). The impact affects confidentiality and integrity but not availability. No official patches or fixes have been linked yet, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS. Given Dokuwiki’s design, which stores pages as text files, the persistent nature of the XSS makes it particularly dangerous in environments where many users have editing rights or where untrusted users can contribute content.

The primary impact of CVE-2024-42758 is on the confidentiality and integrity of user sessions and data within Dokuwiki environments. Successful exploitation can lead to session hijacking, unauthorized actions performed by victim users, and potential distribution of malware or phishing content via the wiki pages. While availability is not directly affected, the trustworthiness of the wiki content and user data integrity can be compromised, potentially disrupting collaboration and knowledge sharing. Organizations relying on Dokuwiki for internal or external documentation, especially those with multiple contributors or public-facing wikis, face increased risk of data leakage and unauthorized access. The vulnerability could be leveraged as a foothold for further attacks within an organization’s network if attackers escalate privileges or move laterally after compromising user accounts. Although no exploits are known in the wild, the medium severity and ease of exploitation warrant proactive mitigation to prevent potential damage.

To mitigate CVE-2024-42758, organizations should first verify if the indexmenu plugin version v2024-01-05 is in use and enabled in their Dokuwiki installations. Immediate steps include disabling the vulnerable plugin until a patch or update is available. Administrators should restrict editing permissions to trusted users only, minimizing the risk of malicious input. Input validation and sanitization should be enforced at the application level, potentially by applying custom filters or using security extensions that sanitize wiki content. Monitoring and auditing wiki pages for suspicious scripts or unexpected content can help detect exploitation attempts. Educating users to avoid clicking on suspicious links or executing untrusted scripts within the wiki environment is also important. Regularly updating Dokuwiki and its plugins to the latest versions once patches are released will ensure long-term protection. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution contexts.