Description

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.

Remediation

References

CVE-2015-8625

Related Vulnerabilities

WordPress Plugin Thank You Counter Button Multiple Cross-Site Scripting Vulnerabilities (1.8.7)

FluxBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-35240)

WordPress Plugin WP Photo Album Plus 'wppa-album' Parameter SQL Injection (4.1.1)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2156)

XWiki Improper Restriction of XML External Entity Reference Vulnerability (CVE-2023-27480)

Severity

High

Classification

CVE-2015-8625 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities