CVE-2014-2665

Name of the Vulnerable Software and Affected Versions MediaWiki versions prior to 1.19.14 MediaWiki versions 1.20.x MediaWiki versions 1.21.x prior to 1.21.8 MediaWiki versions 1.22.x prior to 1.22.5

Description The issue makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue. This occurs because the includes/specials/SpecialChangePassword.php file in MediaWiki does not properly handle a correctly authenticated but unintended login attempt.

Recommendations For MediaWiki versions prior to 1.19.14, update to version 1.19.14 or later. For MediaWiki versions 1.20.x, update to a version outside of the 1.20.x range, such as 1.19.14 or later, or 1.21.8 or later. For MediaWiki versions 1.21.x prior to 1.21.8, update to version 1.21.8 or later. For MediaWiki versions 1.22.x prior to 1.22.5, update to version 1.22.5 or later.