CVE-2015-6728 — Cross-Site Request Forgery in Mediawiki

CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 63.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedSep 1

Latest updateMay 17

Description

The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.25.5-1 (bookworm)

▶Debianmediawiki/mediawiki< 1:1.25.5-1+3

▶NVDmediawiki/mediawiki1.23.9+5

🔴Vulnerability Details

GHSA

GHSA-j8wf-wp2j-cmg7: The ApiBase::getWatchlistUser function in MediaWiki before 1↗2022-05-17

▶

OSV

CVE-2015-6728: The ApiBase::getWatchlistUser function in MediaWiki before 1↗2015-09-01

▶

📋Vendor Advisories

Debian

CVE-2015-6728: mediawiki - The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x befor...↗2015

▶

💬Community

Bugzilla

CVE-2013-7444 CVE-2015-6737 CVE-2015-6736 CVE-2015-6727 CVE-2015-6733 CVE-2015-6732 CVE-2015-6731 CVE-2015-6730 CVE-2015-6728 CVE-2015-6729 CVE-2015-6735 CVE-2015-6734 mediawiki: multiple security fix↗2015-08-13

▶