Vulnerabilities > CVE-2015-6736 - Code vulnerability in Quiz Project Quiz
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The Quiz extension for MediaWiki allows remote attackers to cause a denial of service via regex metacharacters in a regular expression.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-13920.NASL description - (T94116) SECURITY: Compare API watchlist token in constant time * (T97391) SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don last seen 2020-06-05 modified 2015-08-31 plugin id 85698 published 2015-08-31 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85698 title Fedora 23 : mediawiki-1.25.2-2.fc23 (2015-13920) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201510-05.NASL description The remote host is affected by the vulnerability described in GLSA-201510-05 (MediaWiki: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to create a Denial of Service condition, obtain sensitive information, bypass security restrictions, and inject arbitrary web script or HTML. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86690 published 2015-11-02 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86690 title GLSA-201510-05 : MediaWiki: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6241B5DF42A111E593AD002590263BF5.NASL description MediaWiki reports : Internal review discovered that Special:DeletedContributions did not properly protect the IP of autoblocked users. This fix makes the functionality of Special:DeletedContributions consistent with Special:Contributions and Special:BlockList. Internal review discovered that watchlist anti-csrf tokens were not being compared in constant time, which could allow various timing attacks. This could allow an attacker to modify a user last seen 2020-06-01 modified 2020-06-02 plugin id 85428 published 2015-08-17 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85428 title FreeBSD : mediawiki -- multiple vulnerabilities (6241b5df-42a1-11e5-93ad-002590263bf5)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165193.html
- http://www.openwall.com/lists/oss-security/2015/08/12/6
- http://www.openwall.com/lists/oss-security/2015/08/27/6
- http://www.securityfocus.com/bid/76362
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html
- https://security.gentoo.org/glsa/201510-05