Main Vulnerability Database Vulnerabilities #VU39391

Information disclosure in MediaWiki - CVE-2015-8625

Published: March 23, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39391

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2015-8625

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: MediaWiki.org

Affected software:
MediaWiki

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.

How to mitigate CVE-2015-8625

Install update from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2015/12/21/8
http://www.openwall.com/lists/oss-security/2015/12/23/7
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
https://phabricator.wikimedia.org/T118032

Information disclosure in MediaWiki - CVE-2015-8625

Detailed vulnerability description

How to mitigate CVE-2015-8625

Sources

Please verify you're human