Description

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Remediation

References

CVE-2014-2665

Related Vulnerabilities

Chamilo Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-34944)

Joomla! Core Security Bypass (1.6.2 - 3.9.10)

WordPress Plugin iThemes Security (formerly Better WP Security) Multiple Vulnerabilities (3.6.3)

WordPress Plugin Gutenberg & Elementor Templates Importer For Responsive Security Bypass (2.2.5)

WordPress Plugin Contact Form & SMTP Plugin for WordPress by PirateForms Cross-Site Scripting (2.5.1)

Severity

Medium

Classification

CVE-2014-2665 CWE-287

Tags

Missing Update Known Vulnerabilities