CVE-2020-15274 Information

Feb 14, 2021 cve

Description

In Wiki.js before version 2.5.162 an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://docs.requarks.io/releases https://github.com/Requarks/wiki/commit/a57d9af34c15adbf460dde6553d964efddf433de https://github.com/Requarks/wiki/security/advisories/GHSA-pgjv-84m7-62q7

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

Share on: