High severity8.8NVD Advisory· Published Mar 23, 2017· Updated Jun 17, 2026
CVE-2015-8623
CVE-2015-8623
Description
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*range: <=1.23.11
- cpe:2.3:a:mediawiki:mediawiki:1.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.24.2:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.24.3:*:*:*:*:*:*:*
- cpe:2.3:a:mediawiki:mediawiki:1.24.4:*:*:*:*:*:*:*
- (no CPE)range: <1.23.12, <1.24.5
Patches
Vulnerability mechanics
References
5- www.openwall.com/lists/oss-security/2015/12/21/8nvdMailing ListPatchThird Party Advisory
- www.openwall.com/lists/oss-security/2015/12/23/7nvdMailing ListPatchThird Party Advisory
- lists.wikimedia.org/pipermail/mediawiki-announce/2015-December/000186.htmlnvdPatchRelease NotesVendor Advisory
- phabricator.wikimedia.org/T119309nvdPatchThird Party Advisory
- gerrit.wikimedia.org/r/nvdIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.