CVE-2024-53930

WikiDocs versions prior to 1.0.65 contain a stored cross-site scripting (XSS) vulnerability caused by insufficient sanitization of user-supplied LaTeX mathematical expressions processed by the integrated KaTeX parser. The root cause is that input following $$\ is passed to the KaTeX parser without adequate filtering, allowing injection of arbitrary HTML and JavaScript through commands such as \href, \html, and \htmlStyle, as well as by embedding dangerous tags like `, , and within math environments [1][3]. An attacker with a valid WikiDocs account (authenticated user) can exploit this vulnerability by crafting a page containing malicious KaTeX markup. The injected payload becomes stored and is rendered each time another user views the affected page, requiring no special privileges beyond standard editing capabilities [3]. Successful exploitation enables an attacker to perform session hijacking by stealing session cookies, access sensitive data, or otherwise impersonate legitimate users within the application's context [3]. The issue is patched in WikiDocs version 1.0.65, which introduces a dedicated SecurityFilters class containing a filterKaTeX()` method that blacklists dangerous commands and tags, and escapes potentially malicious content [1][4]. The patch also prevents math mode escaping by replacing lone backslashes, mitigating the attack vector uncovered by security researchers using the XBOW platform [3][4].