MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
References
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2017-11-15T08:00:00

Updated: 2017-11-16T10:57:01

Reserved: 2017-05-07T00:00:00


Link: CVE-2017-8810

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2017-11-15T08:29:00.673

Modified: 2017-11-28T16:58:20.727


Link: CVE-2017-8810

JSON object: View

cve-icon Redhat Information

No data.

CWE