Description

MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.

Remediation

References

CVE-2015-8625

Related Vulnerabilities

WebLogic CVE-2019-2441 Vulnerability (CVE-2019-2441)

Joomla! Core 3.x.x Multiple Cross-Site Scripting Vulnerabilities (3.0.0 - 3.9.3)

Craft CMS Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2019-15929)

OpenSSL Improper Input Validation Vulnerability (CVE-2014-3567)

phpMyFAQ Uncaught Exception Vulnerability (CVE-2023-0790)

Severity

High

Classification

CVE-2015-8625 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities