CVE-2015-2793 : Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ik

Cross-site scripting (XSS) vulnerability in templates/openid-selector.tmpl in ikiwiki before 3.20150329 allows remote attackers to inject arbitrary web script or HTML via the openid_identifier parameter in a verify action to ikiwiki.cgi.

Published 2019-11-21 20:15:16

Updated 2019-12-02 20:04:45

Source Debian GNU/Linux

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2015-2793

Fedoraproject » Fedora » Version: 20
cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 21
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 22
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
Matching versions
Ikiwiki » Ikiwiki
Versions before (<) 3.20150329
cpe:2.3:a:ikiwiki:ikiwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-2793

EPSS FAQ

1.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-2793

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2015-2793

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-2793

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781483

#781483 - ikiwiki: CVE-2015-2793: cross-site scripting via openid_identifier - Debian Bug report logs
Issue Tracking;Third Party Advisory
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=18dfba868fe2fb9c64706b2123eb0b3a3ce66a77

source.ikiwiki.branchable.com Git - source.git/commitdiff
Patch
http://openwall.com/lists/oss-security/2015/03/30/5

oss-security - CVE Request: ikiwiki: cross-site scripting via openid_identifier
Mailing List;Patch;Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157025.html

[SECURITY] Fedora 20 Update: ikiwiki-3.20150329-1.fc20
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1207210

1207210 – (CVE-2015-2793) CVE-2015-2793 ikiwiki: cross-site scripting via openid_identifier
Issue Tracking;Patch;Third Party Advisory
https://ikiwiki.info/bugs/XSS_Alert...__33____33____33__/

XSS Alert...!!!
Exploit;Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157023.html

[SECURITY] Fedora 21 Update: ikiwiki-3.20150329-1.fc21
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157001.html

[SECURITY] Fedora 22 Update: ikiwiki-3.20150329-1.fc22
Third Party Advisory
http://openwall.com/lists/oss-security/2015/03/31/1

oss-security - Re: CVE Request: ikiwiki: cross-site scripting via openid_identifier
Mailing List;Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2015-2793

Products affected by CVE-2015-2793

Exploit prediction scoring system (EPSS) score for CVE-2015-2793

CVSS scores for CVE-2015-2793

CWE ids for CVE-2015-2793

References for CVE-2015-2793