CVE-2020-15275 - Vulnerability Details - OpenCVE

MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moinmo	Moinmoin

Configuration 1 [-]

cpe:2.3:a:moinmo:moinmoin:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://advisory.checkmarx.net/advisory/CX-2020-4285
https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2
https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11
https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-11-11T15:45:15

Updated: 2024-08-04T13:15:19.004Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15275

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-11T16:15:13.237

Modified: 2024-11-21T05:05:14.927

Link: CVE-2020-15275

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "moin-1.9", "vendor": "moinwiki", "versions": [{"status": "affected", "version": "< 1.9.11"}]}], "descriptions": [{"lang": "en", "value": "MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-30T21:15:23", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"}, {"tags": ["x_refsource_MISC"], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4285"}], "source": {"advisory": "GHSA-4q96-6xhq-ff43", "discovery": "UNKNOWN"}, "title": "malicious SVG attachment causing stored XSS vulnerability in MoinMoin", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15275", "STATE": "PUBLIC", "TITLE": "malicious SVG attachment causing stored XSS vulnerability in MoinMoin"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "moin-1.9", "version": {"version_data": [{"version_value": "< 1.9.11"}]}}]}, "vendor_name": "moinwiki"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43", "refsource": "CONFIRM", "url": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}, {"name": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11", "refsource": "MISC", "url": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"}, {"name": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2", "refsource": "MISC", "url": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"}, {"name": "https://advisory.checkmarx.net/advisory/CX-2020-4285", "refsource": "MISC", "url": "https://advisory.checkmarx.net/advisory/CX-2020-4285"}]}, "source": {"advisory": "GHSA-4q96-6xhq-ff43", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:15:19.004Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4285"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15275", "datePublished": "2020-11-11T15:45:15", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:15:19.004Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moinmo:moinmoin:*:*:*:*:*:*:*:*", "matchCriteriaId": "90280389-72FE-47AD-9A03-4287C050976A", "versionEndExcluding": "1.9.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes."}, {"lang": "es", "value": "MoinMoin es un motor de wiki. En MoinMoin antes de la versi\u00f3n 1.9.11, un atacante con permisos de escritura puede cargar un archivo SVG que contiene javascript malicioso. Este javascript se ejecutar\u00e1 en el navegador de un usuario cuando el usuario est\u00e9 viendo ese archivo SVG en la wiki. Se recomienda encarecidamente a los usuarios que se actualicen a una versi\u00f3n parcheada. MoinMoin Wiki versi\u00f3n 1.9.11 tiene las correcciones necesarias y tambi\u00e9n contiene otras correcciones importantes"}], "id": "CVE-2020-15275", "lastModified": "2024-11-21T05:05:14.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-11T16:15:13.237", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4285"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://advisory.checkmarx.net/advisory/CX-2020-4285"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}