Vulnerability CVE-2015-8004

Vulnerability Name:

CVE-2015-8004 (CCN-107706)

Assigned:

2015-10-29

Published:

2015-10-29

Updated:

2015-11-10

Summary:

MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form.

CVSS v3 Severity:

4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2015-8004

Source: CCN
Type: SECTRACK ID: 1034028
MediaWiki Multiple Bugs Let Remote Users Obtain Potentially Sensitive Information and Conduct Cross-Site Scripting Attacks and Let Remote Authenticated Users Bypass Security and Deny Service

Source: SECTRACK
Type: UNKNOWN
1034028

Source: XF
Type: UNKNOWN
mediawiki-cve20158004-sec-bypass(107706)

Source: MLIST
Type: Patch, Vendor Advisory
[MediaWiki-announce] 20151016 Security Release: 1.25.3, 1.24.4 and 1.23.11

Source: CONFIRM
Type: Vendor Advisory
https://phabricator.wikimedia.org/T95589

Source: CCN
Type: MediaWiki Web site
MediaWiki

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-8004

Vulnerable Configuration:

Configuration 1:

cpe:/a:mediawiki:mediawiki:*:*:*:*:*:*:*:* (Version <= 1.23.10)

OR cpe:/a:mediawiki:mediawiki:1.24.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.2:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.24.3:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.0:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.1:*:*:*:*:*:*:*

OR cpe:/a:mediawiki:mediawiki:1.25.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.disco:def:201580040000000	V	CVE-2015-8004 on Ubuntu 19.04 (disco) - medium.	2015-11-09
oval:com.ubuntu.artful:def:20158004000	V	CVE-2015-8004 on Ubuntu 17.10 (artful) - medium.	2015-11-09
oval:com.ubuntu.trusty:def:20158004000	V	CVE-2015-8004 on Ubuntu 14.04 LTS (trusty) - medium.	2015-11-09
oval:com.ubuntu.bionic:def:20158004000	V	CVE-2015-8004 on Ubuntu 18.04 LTS (bionic) - medium.	2015-11-09
oval:com.ubuntu.cosmic:def:201580040000000	V	CVE-2015-8004 on Ubuntu 18.10 (cosmic) - medium.	2015-11-09
oval:com.ubuntu.cosmic:def:20158004000	V	CVE-2015-8004 on Ubuntu 18.10 (cosmic) - medium.	2015-11-09
oval:com.ubuntu.bionic:def:201580040000000	V	CVE-2015-8004 on Ubuntu 18.04 LTS (bionic) - medium.	2015-11-09
oval:com.ubuntu.precise:def:20158004000	V	CVE-2015-8004 on Ubuntu 12.04 LTS (precise) - medium.	2015-11-09

BACK