Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-2665

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2014-2665
Last Modified 24 Apr 2014 01:06:23
Published 19 Apr 2014 09:55:06
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2014-2665

Summary

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Vulnerable Systems

Application

  • Mediawiki 1.19

  • Mediawiki 1.19.0

  • Mediawiki 1.19.1

  • Mediawiki 1.19.10

  • Mediawiki 1.19.11

  • Mediawiki 1.19.12

  • Mediawiki 1.19.13

  • Mediawiki 1.19.2

  • Mediawiki 1.19.3

  • Mediawiki 1.19.4

  • Mediawiki 1.19.5

  • Mediawiki 1.19.6

  • Mediawiki 1.19.7

  • Mediawiki 1.19.8

  • Mediawiki 1.19.9

  • Mediawiki 1.20

  • Mediawiki 1.20.1

  • Mediawiki 1.20.2

  • Mediawiki 1.20.3

  • Mediawiki 1.20.4

  • Mediawiki 1.20.5

  • Mediawiki 1.20.6

  • Mediawiki 1.20.7

  • Mediawiki 1.20.8

  • Mediawiki 1.21

  • Mediawiki 1.21.1

  • Mediawiki 1.21.2

  • Mediawiki 1.21.3

  • Mediawiki 1.21.4

  • Mediawiki 1.21.5

  • Mediawiki 1.21.6

  • Mediawiki 1.21.7

  • Mediawiki 1.22.0

  • Mediawiki 1.22.1

  • Mediawiki 1.22.2

  • Mediawiki 1.22.3

  • Mediawiki 1.22.4


References

CONFIRM - https://gerrit.wikimedia.org/r/#/c/121517/1/includes/specials/SpecialChangePassword.php

MLIST - [mediawiki-announce] 20140328 MediaWiki Security and Maintenance Releases: 1.22.5, 1.21.8 and 1.19.14

CONFIRM - https://bugzilla.wikimedia.org/show_bug.cgi?id=62497

MLIST - [oss-security] 20140401 Re: CVE request: MediaWiki 1.22.5 login csrf

MLIST - [oss-security] 20140327 CVE request: MediaWiki 1.22.5 login csrf


Last Updated: 27 May 2016 11:05:02