CVE-2020-15275

HIGH

MoinMoin <1.9.11 - XSS

Title source: llm

Description

MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.

References (4)

[Exploit, Third Party Advisory] https://advisory.checkmarx.net/advisory/CX-2020-4285

[Patch, Third Party Advisory] https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11

[Third Party Advisory] https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43

Scores

CVSS v3 8.7

EPSS 0.0042

EPSS Percentile 61.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

moinmo/moinmoin < 1.9.11

pypi/moin < 1.9.11PyPI

Timeline

Published Nov 11, 2020

Tracked Since Feb 18, 2026