Description

includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.

Remediation

References

CVE-2014-2665

Related Vulnerabilities

Moodle Improper Input Validation Vulnerability (CVE-2013-2083)

Oracle JRE CVE-2013-2432 Vulnerability (CVE-2013-2432)

TYPO3 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-4855)

WordPress Plugin Theme Blvd Sliders Multiple Security Bypass Vulnerabilities (1.2.3)

WordPress Plugin N-Media Website Contact Form with File Upload Arbitrary File Upload (1.3.4)

Severity

Medium

Classification

CVE-2014-2665 CWE-287

Tags

Missing Update Known Vulnerabilities