The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag,…
GitHub_M·CWE-79·Published 2020-09-15
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. No workarounds exist other than disabling the extension completely.
La extensión ScratchSig para MediaWiki versiones anteriores a 1.0.1, permite un ataque de tipo Cross-Site Scripting almacenado. Usando la etiqueta (script) dentro de la etiqueta (scratchsig), los atacantes con permiso de edición pueden ejecutar scripts en el navegador de los visitantes. Con MediaWiki JavaScript API, esto puede conllevar potencialmente a una escalada de privilegios y/o la toma de control de la cuenta. Esto ha sido parcheado en la versión 1.0.1. Esto ya ha sido implementado en todas las Scratch Wikis. No existen soluciones alternativas que no sean deshabilitar la extensión por completo
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.6 | 3.9 | 6.4 | AV:N/AC:H/Au:S/C:P/I:P/A:P |
| 3.1 | Primary | NVD | 9.0 | 2.3 | 6.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.0 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.0 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 8.0 | 1.3 | 6.0 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |