Description
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
Remediation
References
Related Vulnerabilities
PHP Out-of-bounds Read Vulnerability (CVE-2019-11046)
WordPress Plugin ABASE Multiple Vulnerabilities (2.6)
ownCloud Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2012-4393)
WordPress Other Vulnerability (CVE-2007-1622)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7890)