The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2015/10/29/14 | Mailing List VDB Entry |
http://www.securitytracker.com/id/1034028 | |
https://phabricator.wikimedia.org/T103023 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2017-07-25 14:29
Updated : 2023-12-10 12:15
NVD link : CVE-2015-8009
Mitre link : CVE-2015-8009
CVE.ORG link : CVE-2015-8009
JSON object : View
Products Affected
mediawiki
- mediawiki
CWE
CWE-255
Credentials Management Errors