CVE-2015-8004

MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form.

Published: Nov 9, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-8004
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
mediawiki / mediawiki	1.24.2	1.24.2.x
mediawiki / mediawiki	1.24.3	1.24.3.x
mediawiki / mediawiki	-	1.23.10.x
mediawiki / mediawiki	1.24.0	1.24.0.x
mediawiki / mediawiki	1.24.1	1.24.1.x
mediawiki / mediawiki	1.25.2	1.25.2.x
mediawiki / mediawiki	1.25.1	1.25.1.x
mediawiki / mediawiki	1.25.0	1.25.0.x

http://www.securitytracker.com/id/1034028
https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-October/000181.html
https://phabricator.wikimedia.org/T95589

Vulnerability Database

290,020

CVE-2015-8004