CVE-2015-2940

Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2015/04/07/3
https://phabricator.wikimedia.org/T85858
http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html	Patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/04/01/1
http://www.securityfocus.com/bid/73477
https://security.gentoo.org/glsa/201510-05

Configurations

Configuration 1 (hide)

cpe:2.3:a:mediawiki:checkuser:-:*:*:*:*:mediawiki:*:*

Information

Published : 2015-04-13 07:59

Updated : 2016-12-07 10:11

NVD link : CVE-2015-2940

Mitre link : CVE-2015-2940

JSON object : View

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

Products Affected

mediawiki

checkuser

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.openwall.com/lists/oss-security/2015/04/07/3", "name": "[oss-security] 20150407 Re: CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": [], "refsource": "MLIST"}, {"url": "https://phabricator.wikimedia.org/T85858", "name": "https://phabricator.wikimedia.org/T85858", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200", "name": "MDVSA-2015:200", "tags": [], "refsource": "MANDRIVA"}, {"url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html", "name": "[MediaWiki-announce] 20150331 MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2", "tags": ["Patch", "Vendor Advisory"], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2015/04/01/1", "name": "[oss-security] 20150331 CVE request: MediaWiki 1.24.2/1.23.9/1.19.24", "tags": [], "refsource": "MLIST"}, {"url": "http://www.securityfocus.com/bid/73477", "name": "73477", "tags": [], "refsource": "BID"}, {"url": "https://security.gentoo.org/glsa/201510-05", "name": "GLSA-201510-05", "tags": [], "refsource": "GENTOO"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-352"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2015-2940", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2015-04-13T14:59Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:mediawiki:checkuser:-:*:*:*:*:mediawiki:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2016-12-07T18:11Z"}

6.8 /10