VYPR
Unrated severityNVD Advisory· Published Sep 1, 2015· Updated Jun 17, 2026

CVE-2015-6728

CVE-2015-6728

Description

The ApiBase::getWatchlistUser function in MediaWiki before 1.23.10, 1.24.x before 1.24.3, and 1.25.x before 1.25.2 does not perform token comparison in constant time, which allows remote attackers to guess the watchlist token and bypass CSRF protection via a timing attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

7
  • cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*range: <=1.23.9
    • cpe:2.3:a:mediawiki:mediawiki:1.24.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.24.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.24.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.25.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mediawiki:mediawiki:1.25.1:*:*:*:*:*:*:*
  • Range: before 1.23.10, 1.24.x before 1.24.3, 1.25.x before 1.25.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.