Description

The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.

Remediation

References

CVE-2015-8009

Related Vulnerabilities

MySQL CVE-2014-2442 Vulnerability (CVE-2014-2442)

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce SQL Injection (5.4.19)

WordPress Plugin Checklist Cross-Site Scripting (1.1.5)

Internet Information Services Other Vulnerability (CVE-2005-2089)

WordPress Plugin YITH PayPal Express Checkout for WooCommerce Security Bypass (1.2.5)

Severity

Critical

Classification

CVE-2015-8009 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities