CVE-2014-2243

MediaWiki <1.19.12, <1.20.x, <1.21.6, <1.22.3 - Info Disclosure

Title source: llm
STIX 2.1

Description

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

References (6)

Core 6
Core References
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/02/28/1
Patch, Vendor Advisory mailing-list x_refsource_mlist
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-February/000141.html
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2014/03/01/2
Vendor Advisory x_refsource_confirm
https://bugzilla.wikimedia.org/show_bug.cgi?id=61346
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1071136

Scores

EPSS 0.0038
EPSS Percentile 59.8%

Details

CWE
CWE-362
Status published
Products (37)
mediawiki/mediawiki 1.1.0
mediawiki/mediawiki 1.10.0 (3 CPE variants)
mediawiki/mediawiki 1.10.1
mediawiki/mediawiki 1.10.2
mediawiki/mediawiki 1.10.3
mediawiki/mediawiki 1.10.4
mediawiki/mediawiki 1.11
mediawiki/mediawiki 1.11.0 (2 CPE variants)
mediawiki/mediawiki 1.11.1
mediawiki/mediawiki 1.11.2
... and 27 more
Published Mar 02, 2014
Tracked Since Feb 18, 2026