The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-15T18:10:13

Updated: 2024-08-04T13:08:22.438Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15179

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-09-15T18:15:14.000

Modified: 2024-11-21T05:05:00.977

Link: CVE-2020-15179

cve-icon Redhat

No data.