MediaWiki Password Reset Cross-site Request Forgery Vulnerability
Medium Nessus Network Monitor Plugin ID 8181
SynopsisThe remote web server is running a PHP application that is affected by a cross-site request forgery.
DescriptionIn versions older than 1.22.5, 1.21.8, and 1.19.14, WikiMedia contains a flaw in Special:ChangePassword, due to its implementation of the password reset action. An attacker could leverage the lack of explicit confirmation, unique tokens, or multi-step process, to induce a victim to reset their password via a specially crafted link.
SolutionUpgrade to MediaWiki version 1.22.5, 1.21.8, or 1.19.14, or later.