Description
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.
Remediation
References
Related Vulnerabilities
phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-5739)
WordPress Plugin Contact Form Email Cross-Site Scripting (1.1.49)
MySQL CVE-2016-9841 Vulnerability (CVE-2016-9841)
Drupal Core 8.5.x Remote Code Execution (8.5.0 - 8.5.2)
Joomla Incorrect Authorization Vulnerability (CVE-2018-17857)