First published: Wed Jan 11 2023(Updated: )
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
MediaWiki MediaWiki | <=1.39.0 | |
Fedoraproject Fedora | =37 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-22945.
The severity rating of CVE-2023-22945 is medium (4.3).
The GrowthExperiments extension for MediaWiki up to version 1.39 and Fedora 37 are affected by CVE-2023-22945.
Blocked users can enroll as mentors or edit mentorship-related properties through the growthmanagementorlist API in MediaWiki.
Yes, you can find more information about CVE-2023-22945 on the following URLs:<br>- [https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88](https://gerrit.wikimedia.org/r/q/Id1b83fcd58eccb8b2dfea44a3ab2f72314860d88)<br>- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AP65YEN762IBNQPOYGUVLTQIDLM5XD2A/)<br>- [https://phabricator.wikimedia.org/T321733](https://phabricator.wikimedia.org/T321733)