CVE-2020-15275 — Cross-site Scripting in Moinmoin

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.4%

top 38.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moinwiki Moin-1.9 Moinmo Moinmoin

Timeline

PublishedNov 11

Description

MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDmoinmo/moinmoin< 1.9.11

▶CVEListV5moinwiki/moin-1.9< 1.9.11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-15275: MoinMoin is a wiki engine↗2020-11-11

▶

OSV

moin vulnerabilities↗2020-11-11

▶

GHSA

malicious SVG attachment causing stored XSS vulnerability↗2020-11-11

▶

OSV

malicious SVG attachment causing stored XSS vulnerability↗2020-11-11

▶

📋Vendor Advisories

Ubuntu

MoinMoin vulnerabilities↗2020-11-11

▶