CVE-2020-15274
Summary
| CVE | CVE-2020-15274 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-10-26 19:15:00 UTC |
| Updated | 2020-10-30 17:55:00 UTC |
| Description | In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release Notes | Wiki.js | MISC | docs.requarks.io | Release Notes, Vendor Advisory |
| Stored XSS via search result page title · Advisory · Requarks/wiki · GitHub | CONFIRM | github.com | Patch, Third Party Advisory |
| Merge pull request from GHSA-pgjv-84m7-62q7 · Requarks/wiki@a57d9af · GitHub | MISC | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.