CVE-2020-15179

HIGH

ScratchSig < 1.0.1 - Stored Cross-Site Scripting via <scratchsig> Tag

Title source: llm
STIX 2.1

Description

The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.

Scores

CVSS v3 8.0
EPSS 0.0122
EPSS Percentile 65.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
scratch-wiki/scratchsig < 1.0.1
Published Sep 15, 2020
Tracked Since Feb 18, 2026