Arches, please stabilize:
Maintainer(s), please cleanup.
Security, please vote.
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14,
1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly
handle a correctly authenticated but unintended login attempt, which makes
it easier for remote authenticated users to obtain sensitive information by
arranging for a victim to login to the attacker's account, as demonstrated
by tracking the victim's activity, related to a "login CSRF" issue.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.
GLSA VOTE: No
GLSA already in progress, adding this to existing GLSA.
This issue was resolved and addressed in
GLSA 201502-04 at http://security.gentoo.org/glsa/glsa-201502-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).