8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15275

GHSA ID

GHSA-4q96-6xhq-ff43

EPSS Score

0.52709%

CWE

CWE-79

Published

11/11/2020

Updated

10/7/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15275

CVE-2020-15275: malicious SVG attachment causing stored XSS vulnerability

Impact

An attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki.

Patches

Users are strongly advised to upgrade to a patched version.

MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.

Workarounds

It is not advised to work around this, but to upgrade MoinMoin to a patched version.

That said, a work around via a Content Security Policy in the web server might be possible.

Also, it is of course helpful if you give write permissions (which include uploading attachments) only to trusted users.

For more information

If you have any questions or comments about this advisory, email me at twaldmann@thinkmo.de.

Credits

This vulnerability was discovered by:

Catarina Leite from the Checkmarx SCA AppSec team

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15275

GHSA ID

GHSA-4q96-6xhq-ff43

EPSS Score

0.52709%

CWE

CWE-79

Published

11/11/2020

Updated

10/7/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moin	pip	< 1.9.11	1.9.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from SVG files not being properly sanitized or protected against inline execution. The commit diff shows 'image/svg+xml' was added to 'mimetypes_xss_protect' in MoinMoin/config/multiconfig.py. This list determines which MIME types trigger XSS protections (like forcing download instead of inline rendering). The absence of SVG in this list prior to the patch meant uploaded SVGs were rendered inline, enabling XSS. The DefaultConfig.init method initializes this critical security configuration, making it the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r wit* `writ*` p*rmissions **n uplo** *n SV* *il* t**t *ont*ins m*li*ious j*v*s*ript. T*is j*v*s*ript will ** *x**ut** in * us*r's *rows*r w**n t** us*r is vi*win* t**t SV* *il* on t** wiki. ### P*t***s Us*rs *r* stron*ly **vis*

Reasoning

T** vuln*r**ility st*ms *rom SV* *il*s not **in* prop*rly s*nitiz** or prot**t** ***inst inlin* *x**ution. T** *ommit *i** s*ows 'im***/sv*+xml' w*s ***** to 'mim*typ*s_xss_prot**t' in MoinMoin/*on*i*/multi*on*i*.py. T*is list **t*rmin*s w*i** MIM* t

8.7

Basic Information

Concerned about an active attack path?

CVE-2020-15275: malicious SVG attachment causing stored XSS vulnerability

Impact

Patches

Workarounds

For more information

Credits

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI