Description

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

Remediation

References

CVE-2014-2243

Related Vulnerabilities

WordPress Plugin WordPress Simple Ecommerce Shopping Cart-Sell products through Paypal Arbitrary File Upload (2.2.5)

MySQL CVE-2020-2752 Vulnerability (CVE-2020-2752)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1591)

WordPress Plugin WooCommerce-Store Toolkit Privilege Escalation (1.5.6)

WordPress Plugin Advanced Custom Fields (ACF) 'acf_abspath' Parameter Remote File Include (3.5.1)

Severity

Medium

Classification

CVE-2014-2243 CWE-362

Tags

Missing Update Known Vulnerabilities