Description
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.
Remediation
References
Related Vulnerabilities
WebLogic CVE-2022-21453 Vulnerability (CVE-2022-21453)
Apache Tomcat Numeric Errors Vulnerability (CVE-2014-0075)
Contao Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2024-45398)
Lighttpd Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-1111)
OpenSSL Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2022-0778)