The version of MediaWiki installed is 1.23.x earlier than 1.23.10, 1.24.x earlier than 1.24.3, or 1.25.x earlier than 1.25.2. Therefore, it is affected by multiple vulnerabilities :
- A flaw exists due to ‘Special:DeletedContributions’ failing to properly protect the IP of autoblocked users. This may allow attackers to gain access to IP address information. (CVE-2015-6727)
- A flaw exists as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to modify a user’s watchlist. (CVE-2015-6728)
- A flaw allows a reflected cross-site scripting (XSS) attack. This flaw exists because the ‘thumb.php’ script does not validate input to error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. (CVE-2015-6729, 2015-6730)