Lucene search

K

[email protected]NVD:CVE-2015-6728

HistorySep 01, 2015 - 2:59 p.m.

CVE-2015-6728

2015-09-0114:59:06

CWE-352

[email protected]

web.nvd.nist.gov

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

6.5 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

74.0%

The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.

Affected configurations

NVD

Node

mediawikimediawikiRange≤1.23.9

OR

mediawikimediawikiMatch1.24.0

OR

mediawikimediawikiMatch1.24.1

OR

mediawikimediawikiMatch1.24.2

OR

mediawikimediawikiMatch1.25.0

OR

mediawikimediawikiMatch1.25.1

References

lists.fedoraproject.org/pipermail/package-announce/2015-August/165193.html

www.openwall.com/lists/oss-security/2015/08/12/6

www.openwall.com/lists/oss-security/2015/08/27/6

www.securityfocus.com/bid/76334

lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html

security.gentoo.org/glsa/201510-05

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

6.5 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

74.0%

Related for NVD:CVE-2015-6728

cve1 cvelist1 prion1 ubuntucve1 debiancve1 nessus4 openvas3 fedora3 freebsd1 gentoo1