The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Link | Tags |
---|---|
https://phabricator.wikimedia.org/T302199 | exploit third party advisory patch |
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651 | vendor advisory |