MediaWiki prior to 1.27.4, 1.28.x prior to 1.28.3, and 1.29.x prior to 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote malicious users to enumerate account names and conduct brute-force attacks via a series of requests.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mediawiki mediawiki 1.28.1 |
||
mediawiki mediawiki |
||
mediawiki mediawiki 1.29.0 |
||
mediawiki mediawiki 1.29.1 |
||
mediawiki mediawiki 1.28.0 |
||
mediawiki mediawiki 1.28.2 |
||
debian debian linux 9.0 |