Main Vulnerability Database Vulnerabilities #VU38645

Credentials management in MediaWiki - CVE-2015-8009

Published: July 25, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38645

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2015-8009

CWE-ID: CWE-255

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.

How to mitigate CVE-2015-8009

Install update from vendor's website.

Credentials management in MediaWiki - CVE-2015-8009

Detailed vulnerability description

How to mitigate CVE-2015-8009

Sources

Please verify you're human