CVE-2015-8624
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623.
| Software | From | Fixed in |
|---|---|---|
| mediawiki / mediawiki | 1.24.2 | 1.24.2.x |
| mediawiki / mediawiki | 1.24.3 | 1.24.3.x |
| mediawiki / mediawiki | 1.24.4 | 1.24.4.x |
| mediawiki / mediawiki | 1.24.0 | 1.24.0.x |
| mediawiki / mediawiki | 1.24.1 | 1.24.1.x |
| mediawiki / mediawiki | 1.25.2 | 1.25.2.x |
| mediawiki / mediawiki | 1.26.0 | 1.26.0.x |
| mediawiki / mediawiki | 1.25.1 | 1.25.1.x |
| mediawiki / mediawiki | 1.25.0 | 1.25.0.x |
| mediawiki / mediawiki | 1.25.3 | 1.25.3.x |
| mediawiki / mediawiki | - | 1.23.11.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime