Candidate: CVE-2015-8625
PublicDate: 2017-03-23 20:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8625
 https://phabricator.wikimedia.org/T118032
Description:
 MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and
 1.26.x before 1.26.1 do not properly sanitize parameters when calling the
 cURL library, which allows remote attackers to read arbitrary files via an
 @ (at sign) character in unspecified POST array parameters.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]

Patches_mediawiki:
upstream_mediawiki: released (1:1.25.5-1)
precise_mediawiki: ignored (reached end-of-life)
precise/esm_mediawiki: DNE (precise was needed)
trusty_mediawiki: ignored (reached end-of-life)
trusty/esm_mediawiki: DNE (trusty was needed)
vivid_mediawiki: ignored (reached end-of-life)
vivid/stable-phone-overlay_mediawiki: DNE
vivid/ubuntu-core_mediawiki: DNE
wily_mediawiki: ignored (reached end-of-life)
xenial_mediawiki: DNE
yakkety_mediawiki: ignored (reached end-of-life)
zesty_mediawiki: ignored (reached end-of-life)
artful_mediawiki: ignored (reached end-of-life)
bionic_mediawiki: not-affected (1:1.27.4-3)
cosmic_mediawiki: not-affected (1:1.31.1-3)
disco_mediawiki: not-affected (1:1.31.1-3)
devel_mediawiki: not-affected (1:1.31.1-3)