vulnerability

MediaWiki: CVE-2015-8623: Cross-Site Request Forgery (CSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Published

Mar 23, 2017

Added

Aug 24, 2017

Modified

May 6, 2026

Description

The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.

Solution

mediawiki-upgrade-latest

References

CVE-2015-8623
https://attackerkb.com/topics/CVE-2015-8623
http://www.openwall.com/lists/oss-security/2015/12/21/8
http://www.openwall.com/lists/oss-security/2015/12/23/7
https://gerrit.wikimedia.org/r/#/c/156336/5/includes/User.php
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.html
https://phabricator.wikimedia.org/T119309
https://euvd.enisa.europa.eu/vulnerability/EUVD-2015-8500
CWE-352
EUVD-EUVD-2015-8500

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report