PT-2017-7455 · Curl+2 · Curl+2
Catrope
·
Published
2015-12-24
·
Updated
2017-08-22
·
CVE-2015-8625
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
MediaWiki versions prior to 1.23.12
MediaWiki versions 1.24.x prior to 1.24.5
MediaWiki versions 1.25.x prior to 1.25.4
MediaWiki versions 1.26.x prior to 1.26.1
Description
The issue arises from improper sanitization of parameters when calling the cURL library. This allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.
Recommendations
For MediaWiki versions prior to 1.23.12, update to version 1.23.12 or later.
For MediaWiki versions 1.24.x prior to 1.24.5, update to version 1.24.5 or later.
For MediaWiki versions 1.25.x prior to 1.25.4, update to version 1.25.4 or later.
For MediaWiki versions 1.26.x prior to 1.26.1, update to version 1.26.1 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Mediawiki
Curl