Skip to content
This repository has been archived by the owner on Oct 21, 2020. It is now read-only.

Stored Cross-site Scripting

Critical
jacob-g published GHSA-gp9v-pg9f-vmp6 Sep 15, 2020

Package

mw-scratchsig2

Affected versions

1.0

Patched versions

1.0.1

Description

Impact

ScratchSig extension for MediaWiki allows stored Cross-Site Scripting. Using <script> tag inside tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover.

Patches

This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis.

Workarounds

No workarounds exist other than disabling the extension completely.

Severity

Critical

CVE ID

CVE-2020-15179

Weaknesses

No CWEs

Credits