← Voltar para CVEs
CVE-2020-15179
HIGH8.0
Descricao
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
Detalhes CVE
Pontuacao CVSS v3.18.0
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado9/15/2020
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
scratch-wiki:scratchsig
Fraquezas (CWE)
CWE-79
Referencias
https://github.com/InternationalScratchWiki/wiki-scratchsig/commit/4160a39a20eebeb63a59eb7597a91b961eca6388(security-advisories@github.com)
https://github.com/InternationalScratchWiki/wiki-scratchsig/security/advisories/GHSA-gp9v-pg9f-vmp6(security-advisories@github.com)
https://github.com/InternationalScratchWiki/wiki-scratchsig/commit/4160a39a20eebeb63a59eb7597a91b961eca6388(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/InternationalScratchWiki/wiki-scratchsig/security/advisories/GHSA-gp9v-pg9f-vmp6(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.