Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
An Incorrect Access Control vulnerability was found in Wikimedia MediaWiki 1.27.0 through 1.32.1. Directly POSTing to Special:ChangeEmail would allow for bypassing re-authentication, allowing for potential account takeover.
mediawiki to version 1:1.27.7-1~deb9u1 or higher.