CVE-2020-15274

CVE-2020-15274 is a medium-severity vulnerability in Requarks Wiki.js with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.

Frequently asked questions

What is CVE-2020-15274?
In Wiki.js before version 2.5.162, an XSS payload can be injected in a page title and executed via the search results. While the title is properly escaped in both the navigation links and the actual page title, it is not the case in the search results. Commit a57d9af34c15adbf460dde6553d964efddf433de fixes this vulnerability (version 2.5.162) by properly escaping the text content displayed in the search results.
How severe is CVE-2020-15274?
CVE-2020-15274 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2020-15274 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-15274?
CVE-2020-15274 affects Requarks Wiki.js. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2020-15274?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2020-15274 published?
CVE-2020-15274 was published on 2020-10-26 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Requarks Wiki.js

All CVEs affecting Requarks Wiki.js →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →