The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-09-15T18:10:13
Updated: 2024-08-04T13:08:22.438Z
Reserved: 2020-06-25T00:00:00
Link: CVE-2020-15179
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-09-15T18:15:14.000
Modified: 2024-11-21T05:05:00.977
Link: CVE-2020-15179
Redhat
No data.