CVE-2023-22945

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions GrowthExperiments extension for MediaWiki versions 1.39 and earlier

Description The issue allows blocked users to enroll as mentors or edit their mentorship-related properties through the "growthmanagementorlist" API endpoint. This affects users blocked in ApiManageMentorList.

Recommendations For versions 1.39 and earlier, as a temporary workaround, consider disabling the growthmanagementorlist API endpoint until a patch is available. Restrict access to the ApiManageMentorList to minimize the risk of exploitation. Avoid using the growthmanagementorlist API endpoint until the issue is resolved.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

ALT-PU-2023-4877

ALT-PU-2024-11168

ALT-PU-2024-1228

BIT-MEDIAWIKI-2023-22945

CVE-2023-22945

Affected Products

Alt Linux

Growthexperiments

CVE-2023-22945

Weakness Enumeration

Related Identifiers

Affected Products

References · 111