Description
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.
Remediation
References
Related Vulnerabilities
MySQL CVE-2020-2752 Vulnerability (CVE-2020-2752)
Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1591)
WordPress Plugin WooCommerce-Store Toolkit Privilege Escalation (1.5.6)
WordPress Plugin Advanced Custom Fields (ACF) 'acf_abspath' Parameter Remote File Include (3.5.1)