CVE-2024-34710
HIGHWiki.js <= 2.5.302 - Stored Cross-Site Scripting via Invalid HTML Tag Injection
Title source: llmDescription
Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection of a invalid HTML tag with a template injection payload on the next line. This vulnerability is fixed in 2.5.303.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/requarks/wiki/security/advisories/GHSA-xjcj-p2qv-q3rf
Patch x_refsource_misc
https://github.com/requarks/wiki/commit/1238d614e1599fefadd4614ee4b5797a087f50ac
Scores
CVSS v3
7.1
EPSS
0.0040
EPSS Percentile
31.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1336
Status
published
Products (1)
requarks/wiki
<= 2.5.302
Published
May 20, 2024
Tracked Since
Feb 18, 2026