HIGH🇵🇱 Wersja polska

CVE-2020-15179

CVSS 8.0v3.1pub. 2020-09-15upd. 2024-11-21

The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
  • Scratch Wiki Scratchsig

    APP
    Scratch-Wiki
    < 1.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSSLPE
CWE
References

Related vulnerabilities

CVE-2020-15164CRITICAL10.0ten sam vendor

in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same us...

CVE-2022-42985MEDIUM4.8ten sam vendor

The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allo...

CVE-2021-46252MEDIUM6.5ten sam vendor

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 al...