CVE-2020-15275 : MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with w

MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.

Published 2020-11-11 16:15:13

Updated 2022-10-18 20:47:16

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2020-15275

Moinmo » Moinmoin
Versions before (<) 1.9.11
cpe:2.3:a:moinmo:moinmoin:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15275

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15275

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
8.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N	2.3	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2020-15275

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-15275

https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2

Merge pull request from GHSA-4q96-6xhq-ff43 · moinwiki/moin-1.9@31de913 · GitHub
Patch;Third Party Advisory
https://advisory.checkmarx.net/advisory/CX-2020-4285

Checkmarx Advisory | CX-2020-4285 / XSS in MoinMoin when uploading a SVG file with malicious javascript code in its content
Exploit;Third Party Advisory
https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43

malicious SVG attachment causing stored XSS vulnerability · Advisory · moinwiki/moin-1.9 · GitHub
Third Party Advisory
https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11

Release MoinMoin Wiki 1.9.11 · moinwiki/moin-1.9 · GitHub
Release Notes;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15275

Products affected by CVE-2020-15275

Exploit prediction scoring system (EPSS) score for CVE-2020-15275

CVSS scores for CVE-2020-15275

CWE ids for CVE-2020-15275

References for CVE-2020-15275