Unrated severityNVD Advisory· Published Sep 15, 2020· Updated Aug 4, 2024

HTML Injection in ScratchSig

CVE-2020-15179

Description

The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using tag inside tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.

Affected products

InternationalScratchWiki/ScratchSigllm-create2 versions
< 1.0.1+ 1 more
- (no CPE)range: < 1.0.1
- (no CPE)range: < 1.0.1

Patches

Vulnerability mechanics

References

github.com/InternationalScratchWiki/wiki-scratchsig/commit/4160a39a20eebeb63a59eb7597a91b961eca6388mitrex_refsource_MISC
github.com/InternationalScratchWiki/wiki-scratchsig/security/advisories/GHSA-gp9v-pg9f-vmp6mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000