Vulnerability Description
In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Requarks | Wiki.Js | < 2.5.162 |
Related Weaknesses (CWE)
References
- https://docs.requarks.io/releasesRelease NotesVendor Advisory
- https://github.com/Requarks/wiki/commit/a57d9af34c15adbf460dde6553d964efddf433dePatchThird Party Advisory
- https://github.com/Requarks/wiki/security/advisories/GHSA-pgjv-84m7-62q7PatchThird Party Advisory
- https://docs.requarks.io/releasesRelease NotesVendor Advisory
- https://github.com/Requarks/wiki/commit/a57d9af34c15adbf460dde6553d964efddf433dePatchThird Party Advisory
- https://github.com/Requarks/wiki/security/advisories/GHSA-pgjv-84m7-62q7PatchThird Party Advisory
FAQ
What is CVE-2020-15274?
CVE-2020-15274 is a vulnerability with a CVSS score of 5.8 (MEDIUM). In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual p...
How severe is CVE-2020-15274?
CVE-2020-15274 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15274?
Check the references section above for vendor advisories and patch information. Affected products include: Requarks Wiki.Js.