Description

includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.

Remediation

References

CVE-2014-2243

Related Vulnerabilities

WebLogic CVE-2018-2902 Vulnerability (CVE-2018-2902)

Jenkins Incomplete List of Disallowed Inputs Vulnerability (CVE-2021-21697)

WordPress Plugin Member Approval Cross-Site Request Forgery (131109)

Apache Traffic Server Exposure of Resource to Wrong Sphere Vulnerability (CVE-2018-8040)

PHP Other Vulnerability (CVE-1999-0238)

Severity

Medium

Classification

CVE-2014-2243 CWE-362

Tags

Missing Update Known Vulnerabilities