Vulnerabilities > Mediawiki > High

DATE CVE VULNERABILITY TITLE RISK
2017-04-20 CVE-2016-6331 Improper Access Control vulnerability in Mediawiki
ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php.
network
low complexity
mediawiki CWE-284
7.5
2017-03-23 CVE-2015-8625 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.
network
low complexity
mediawiki CWE-200
7.5
2017-03-23 CVE-2015-8624 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.
network
low complexity
mediawiki CWE-352
8.8
2017-03-23 CVE-2015-8623 Cross-Site Request Forgery (CSRF) vulnerability in Mediawiki
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.
network
low complexity
mediawiki CWE-352
8.8