Vulnerability Description
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | <= 1.23.11 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2015/12/21/8Mailing ListPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/12/23/7Mailing ListPatchThird Party Advisory
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.htPatchRelease NotesVendor Advisory
- https://phabricator.wikimedia.org/T118032PatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/12/21/8Mailing ListPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2015/12/23/7Mailing ListPatchThird Party Advisory
- https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.htPatchRelease NotesVendor Advisory
- https://phabricator.wikimedia.org/T118032PatchThird Party Advisory
FAQ
What is CVE-2015-8625?
CVE-2015-8625 is a vulnerability with a CVSS score of 7.5 (HIGH). MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read ...
How severe is CVE-2015-8625?
CVE-2015-8625 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8625?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki.