icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

MediaWiki Password Reset Cross-site Request Forgery Vulnerability

Medium

Synopsis

The remote web server is running a PHP application that is affected by a cross-site request forgery.

Description

In versions older than 1.22.5, 1.21.8, and 1.19.14, WikiMedia contains a flaw in Special:ChangePassword, due to its implementation of the password reset action. An attacker could leverage the lack of explicit confirmation, unique tokens, or multi-step process, to induce a victim to reset their password via a specially crafted link.

Solution

Upgrade to MediaWiki version 1.22.5, 1.21.8, or 1.19.14, or later.