9
CVE-2020-15179
- EPSS 1.22%
- Veröffentlicht 15.09.2020 18:15:14
- Zuletzt bearbeitet 21.11.2024 05:05:00
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginHTML Injection in ScratchSig
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Scratch-wiki ≫ Scratchsig SwPlatformmediawiki Version < 1.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.22% | 0.647 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 4.6 | 3.9 | 6.4 |
AV:N/AC:H/Au:S/C:P/I:P/A:P
|
| security-advisories@github.com | 8 | 1.3 | 6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/InternationalScratchWiki/wiki-scratchsig/commit/4160a39a20eebeb63a59eb7597a91b961eca6388
https://github.com/InternationalScratchWiki/wiki-scratchsig/security/advisories/GHSA-gp9v-pg9f-vmp6