The ScratchLogin extension through 1.1 for MediaWiki does not escape verification failure messages, which allows users with administrator privileges to perform cross-site scripting (XSS).
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NScratch Wiki Scratch Login
APPScratch-Wiki≤ 1.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
Related vulnerabilities
CVE-2020-15164CRITICAL10.0ten sam produkt
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same us...
CVE-2020-15179HIGH8.0ten sam vendor
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script>...
CVE-2021-46252MEDIUM6.5ten sam vendor
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 al...