5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.008 Low
EPSS
Percentile
82.0%
MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random
numbers for password reset tokens, which makes it easier for remote
attackers to change the passwords of arbitrary users.
Any extension developers using mt_rand() to generate random numbers in
contexts where security is required are encouraged to instead make use of the
MWCryptRand class introduced with this release.