Vulnerabilities > Mediawiki > Mediawiki > 1.24.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-23 | CVE-2015-8624 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. | 6.8 |
| 2017-03-23 | CVE-2015-8623 | Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. | 6.8 |
| 2017-03-23 | CVE-2015-8622 | Cross-site Scripting vulnerability in Mediawiki Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." | 4.3 |