CVE-2014-2665Improper Authentication in Mediawiki

CWE-287Improper Authentication5 documents5 sources
Severity
4.0MEDIUMNVD
EPSS
0.2%
top 58.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiDebian Mediawiki
Timeline
PublishedApr 20
Latest updateMay 17

Description

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/mediawiki< mediawiki 1:1.19.14+dfsg-1 (bookworm)
Debianmediawiki/mediawiki< 1:1.19.14+dfsg-1+3
NVDmediawiki/mediawiki1.19.13+36

Patches

Patch: lists.wikimedia.orgPatch: gerrit.wikimedia.orgPatch: lists.wikimedia.org

🔴Vulnerability Details

2
GHSA
GHSA-h9j9-33h5-rrmw: includes/specials/SpecialChangePassword2022-05-17
OSV
CVE-2014-2665: includes/specials/SpecialChangePassword2014-04-20

📋Vendor Advisories

1
Debian
CVE-2014-2665: mediawiki - includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x ...2014

💬Community

1
Bugzilla
CVE-2014-2665 mediawiki: missing CSRF protection on Special:ChangePassword2014-03-28
CVE-2014-2665 — Improper Authentication in Mediawiki | cvebase