CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15179 – HTML Injection in ScratchSig
https://notcve.org/view.php?id=CVE-2020-15179
The ScratchSig extension for MediaWiki before version 1.0.1 allows stored Cross-Site Scripting. Using <script> tag inside <scratchsig> tag, attackers with edit permission can execute scripts on visitors' browser. With MediaWiki JavaScript API, this can potentially lead to privilege escalation and/or account takeover. This has been patched in release 1.0.1. This has already been deployed to all Scratch Wikis. • https://github.com/InternationalScratchWiki/wiki-scratchsig/commit/4160a39a20eebeb63a59eb7597a91b961eca6388 https://github.com/InternationalScratchWiki/wiki-scratchsig/security/advisories/GHSA-gp9v-pg9f-vmp6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15164 – Authentication Bypass in Scratch Login (mediawiki-scratch-login)
https://notcve.org/view.php?id=CVE-2020-15164
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using this extension. Since version 1.1, comments by users whose usernames would be trimmed on MediaWiki are ignored when searching for the verification code. En Scratch Login (extensión de MediaWiki) versiones anteriores a versión 1.1, cualquier cuenta puede ser registrada usando el mismo nombre de usuario con guiones bajos al principio, al final o repetidos, ya que MediaWiki los trata como espacios en blanco y los recorta. Esto afecta a todos los usuarios de cualquier wiki que usan esta extensión. • https://github.com/InternationalScratchWiki/mediawiki-scratch-login/commit/70849ef375016a1061490c8c4744046dbfc3e679 https://github.com/InternationalScratchWiki/mediawiki-scratch-login/security/advisories/GHSA-8fq5-g4m5-6j43 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10870
https://notcve.org/view.php?id=CVE-2020-10870
Zim through 0.72.1 creates temporary directories with predictable names. A malicious user could predict and create Zim's temporary directories and prevent other users from being able to start Zim, resulting in a denial of service. Zim versiones hasta 0.72.1, crea directorios temporales con nombres predecibles. Un usuario malicioso podría predecir y crear los directorios temporales de Zim e impedir que otros usuarios sean capaces de iniciar Zim, resultando en una denegación de servicio. • https://github.com/zim-desktop-wiki/zim-desktop-wiki/issues/1028 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000497
https://notcve.org/view.php?id=CVE-2017-1000497
Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution Pepperminty-Wiki versión 0.15 es vulnerable a ataques de XXE en la función getsvgsize, lo que resulta en una denegación de servicio y, posiblemente, la ejecución remota de código. • https://github.com/sbrl/Pepperminty-Wiki/issues/152 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2008-6200 – Swiki 1.5 - HTML Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-6200
Multiple cross-site scripting (XSS) vulnerabilities in Swiki 1.5 allow remote attackers to inject arbitrary web script or HTML via (1) the query string and (2) a new wiki entry. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Swiki v1.5 permiten a atacantes remotos inyectar web script o HTML de su elección a través de (1) una cadena de petición y (2) una nueva entrada en la wiki. • https://www.exploit-db.com/exploits/31628 http://www.securityfocus.com/archive/1/490561/100/0/threaded http://www.securityfocus.com/bid/28680 https://exchange.xforce.ibmcloud.com/vulnerabilities/48838 https://exchange.xforce.ibmcloud.com/vulnerabilities/48839 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •