Description

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

Remediation

References

CVE-2014-2243

Related Vulnerabilities

Opencart Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2018-13067)

Zenphoto Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-44449)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.32)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.33)

Elgg Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-6562)

Severity

Medium

Classification

CVE-2014-2243 CWE-362

Tags

Missing Update Known Vulnerabilities