CVE-2015-8625

HIGH

MediaWiki < 1.23.12, 1.24.x < 1.24.5, 1.25.x < 1.25.4, 1.26.x < 1.26.1 - Arbitrary File Read

Title source: llm
STIX 2.1

Description

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.

References (4)

Core 4
Core References
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/12/21/8
Patch, Release Notes, Vendor Advisory mailing-list x_refsource_mlist
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/12/23/7
Patch, Third Party Advisory x_refsource_confirm
https://phabricator.wikimedia.org/T118032

Scores

CVSS v3 7.5
EPSS 0.0031
EPSS Percentile 54.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (11)
mediawiki/mediawiki 1.24.0
mediawiki/mediawiki 1.24.1
mediawiki/mediawiki 1.24.2
mediawiki/mediawiki 1.24.3
mediawiki/mediawiki 1.24.4
mediawiki/mediawiki 1.25.0
mediawiki/mediawiki 1.25.1
mediawiki/mediawiki 1.25.2
mediawiki/mediawiki 1.25.3
mediawiki/mediawiki 1.26.0
... and 1 more
Published Mar 23, 2017
Tracked Since Feb 18, 2026