Description
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.
Remediation
References
Related Vulnerabilities
Oracle Application Server CVE-2002-1637 Vulnerability (CVE-2002-1637)
MySQL CVE-2021-2048 Vulnerability (CVE-2021-2048)
Moodle Credentials Management Errors Vulnerability (CVE-2014-7845)
Oracle Database Server CVE-2024-21184 Vulnerability (CVE-2024-21184)
Mailman Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2016-6893)