Description

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Remediation

References

CVE-2014-2665

Related Vulnerabilities

Jenkins Use of Insufficiently Random Values Vulnerability (CVE-2020-2099)

Atlassian Jira CVE-2020-29451 Vulnerability (CVE-2020-29451)

Jboss EAP Improper Initialization Vulnerability (CVE-2023-4503)

WordPress Plugin Zingiri Web Shop Unspecified Vulnerability (2.6.5)

PHP Release of Invalid Pointer or Reference Vulnerability (CVE-2022-31625)

Severity

Medium

Classification

CVE-2014-2665 CWE-287

Tags

Missing Update Known Vulnerabilities