CVE-2015-8008
HIGHMediaWiki < 1.25.3 - OAuth IP Address Access Restriction Bypass via API Request
Title source: llmDescription
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/77379
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1273353
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170979.html
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170961.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034028
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T103022
Issue Tracking, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000182.html
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171007.html
Issue Tracking, Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/10/29/14
Scores
CVSS v3
7.5
EPSS
0.0055
EPSS Percentile
68.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-284
Status
published
Products (4)
fedoraproject/fedora
21
fedoraproject/fedora
22
fedoraproject/fedora
23
mediawiki/mediawiki
< 1.25.3
Published
Dec 29, 2017
Tracked Since
Feb 18, 2026