CVE-2015-8623
8.8
HIGH
CVSS 3.1
EPSS 0.13%
Description
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.
How to fix CVE-2015-8623
To remediate CVE-2015-8623, upgrade the affected package to a fixed version below.
- —upgrade to 1:1.25.5-1 or later
Is CVE-2015-8623 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1:1.25.5-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |