Summary: | <www-apps/mediawiki-{1.19.14,1.21.8,1.22.5}: No CSRF token on Special:ChangePassword (CVE-2014-2665) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Xu (Hello71) <alex_y_xu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/03/28/1 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Xu (Hello71)
2014-03-28 02:10:52 UTC
Arches, please stabilize: =www-apps/mediawiki-1.19.15 =www-apps/mediawiki-1.21.8 amd64 stable ppc stable x86 stable. Maintainer(s), please cleanup. Security, please vote. cleanup done. CVE-2014-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665): includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA VOTE: No GLSA already in progress, adding this to existing GLSA. This issue was resolved and addressed in GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |