CVE-2020-12051

Name of the Vulnerable Software and Affected Versions MediaWiki CentralAuth extension versions through REL1 34

Description The issue allows remote attackers to obtain sensitive hidden account information. This can be done via the "api.php?action=query&meta=globaluserinfo&guiuser=" request, which is accessible through the action API. Normally, access to this information would be denied when visiting the wiki/Special:CentralAuth page in a web browser.

Recommendations For versions through REL1 34, consider disabling access to the "api.php?action=query&meta=globaluserinfo&guiuser=" endpoint until a patch is available. Restrict access to sensitive account information to minimize the risk of exploitation.