CVE-2015-8624

HIGH

MediaWiki < 1.23.12, 1.24.x < 1.24.5, 1.25.x < 1.25.4, 1.26.x < 1.26.1 - Cross-Site Request Forgery via Timing Attack

Title source: llm

Description

The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.

References (4)

Core 4

Core References

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/12/21/8

Patch, Release Notes, Vendor Advisory mailing-list x_refsource_mlist

https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/12/23/7

Patch, Third Party Advisory x_refsource_confirm

https://phabricator.wikimedia.org/T119309

Scores

CVSS v3 8.8

EPSS 0.0012

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (11)

mediawiki/mediawiki 1.24.0

mediawiki/mediawiki 1.24.1

mediawiki/mediawiki 1.24.2

mediawiki/mediawiki 1.24.3

mediawiki/mediawiki 1.24.4

mediawiki/mediawiki 1.25.0

mediawiki/mediawiki 1.25.1

mediawiki/mediawiki 1.25.2

mediawiki/mediawiki 1.25.3

mediawiki/mediawiki 1.26.0

... and 1 more

Published Mar 23, 2017

Tracked Since Feb 18, 2026