CVE-2015-2940

Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2015:200
http://www.openwall.com/lists/oss-security/2015/04/01/1
http://www.openwall.com/lists/oss-security/2015/04/07/3
http://www.securityfocus.com/bid/73477
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html	Patch Vendor Advisory
https://phabricator.wikimedia.org/T85858
https://security.gentoo.org/glsa/201510-05

Configurations

Configuration 1 (hide)

cpe:2.3:a:mediawiki:checkuser:-:*:*:*:*:mediawiki:*:*

History

No history.

Information

Published : 2015-04-13 14:59

Updated : 2023-12-10 11:31

NVD link : CVE-2015-2940

Mitre link : CVE-2015-2940

CVE.ORG link : CVE-2015-2940

JSON object : View

Products Affected

mediawiki

checkuser

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2015-2940", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2015-04-13T14:59:13.520", "references": [{"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:200", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2015/04/01/1", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2015/04/07/3", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/73477", "source": "cve@mitre.org"}, {"url": "https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://phabricator.wikimedia.org/T85858", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/201510-05", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors."}, {"lang": "es", "value": "Vulnerabilidad de CSRF en la extensi\u00f3n CheckUser para MediaWiki permite a atacantes remotos secuestrar la autenticaci\u00f3n de ciertos usuarios para peticiones que solicitan informaci\u00f3n sensible de usuario a trav\u00e9s de vectores no especificados."}], "lastModified": "2016-12-07T18:11:04.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mediawiki:checkuser:-:*:*:*:*:mediawiki:*:*", "vulnerable": true, "matchCriteriaId": "AF8654AE-7741-4CD6-A1C1-1C70CF29DEED"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}