CVE-2020-15274

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15274
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15274.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15274
Related
  • GHSA-pgjv-84m7-62q7
Published
2020-10-26T19:15:12Z
Modified
2025-01-15T01:43:21.467018Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.

References

Affected packages

Git / github.com/requarks/wiki

Affected ranges

Type
GIT
Repo
https://github.com/requarks/wiki
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

2.*

2.0.0-beta.11
2.0.0-beta.115
2.0.0-beta.147
2.0.0-beta.148
2.0.0-beta.174
2.0.0-beta.180
2.0.0-beta.203
2.0.0-beta.208
2.0.0-beta.230
2.0.0-beta.241
2.0.0-beta.267
2.0.0-beta.268
2.0.0-beta.275
2.0.0-beta.303
2.0.0-beta.42
2.0.0-beta.68
2.0.0-beta.84
2.0.0-beta.91
2.0.0-rc.1
2.0.0-rc.17
2.0.1
2.0.12
2.1.113
2.2.50
2.2.51
2.3.71
2.3.72
2.3.77
2.4.105
2.4.107
2.4.75
2.5.105
2.5.117
2.5.121
2.5.126
2.5.132
2.5.136
2.5.144
2.5.159

v1.*

v1.0-alpha.1
v1.0-alpha.2
v1.0-alpha.3
v1.0-alpha.4
v1.0-alpha.5
v1.0-alpha.6
v1.0-alpha.7
v1.0-beta.1
v1.0-beta.2
v1.0-beta.3
v1.0-beta.4
v1.0-beta.5
v1.0.0-beta.10
v1.0.0-beta.11
v1.0.0-beta.12
v1.0.0-beta.13
v1.0.0-beta.6
v1.0.0-beta.7
v1.0.0-beta.8
v1.0.0-beta.9
v1.0.1
v1.0.10
v1.0.11
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9