Description

The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.

Remediation

References

CVE-2015-8009

Related Vulnerabilities

WordPress Plugin Easy Testimonial Manager SQL Injection (1.2.0)

WordPress Plugin ResAds Multiple Cross-Site Scripting Vulnerabilities (1.0.1)

WordPress Plugin WP Fastest Cache Local File Inclusion (0.8.5.9)

Joomla Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-3226)

Magento Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2212)

Severity

Critical

Classification

CVE-2015-8009 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities