CRITICAL🇵🇱 Wersja polska

CVE-2024-34502

CVSS 9.8v3.1pub. 2024-05-05upd. 2025-11-04

An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.

🤖 AI Analysis
How it works

Loading the Special:MergeLexemes page causes an attempt to execute an edit merging the source lexeme (from-id) with the target lexeme (to-id), regardless of the HTTP method used in the request. The mechanism does not check whether the request is a POST method or whether it contains the required edit token that protects against CSRF attacks. An attacker can trick a logged-in user into visiting a specially crafted URL, which will cause the unauthorized merge operation to be executed on their behalf.

Impact

An attacker can cause unauthorized merging of lexemes in the wiki database, causing permanent data modification or destruction without the knowledge and consent of an authorized user. With appropriate privileges of the victim, mass damage to the content of the Wikibase repository is possible.

Mitigation & patch

MediaWiki should be updated to version 1.39.6, 1.40.2 or 1.41.1 (depending on the branch used) and ensure that the WikibaseLexeme extension is updated according to the patch available in the Gerrit repository (patch 1013359). Fedora users should apply package updates in accordance with the announcement published on the package-announce mailing list.

Who is affected

MediaWiki with the WikibaseLexeme extension in versions before 1.39.6, 1.40.x before 1.40.2 and 1.41.x before 1.41.1; also affects Fedora distributions containing these versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    40
  • Mediawiki

    APP
    Mediawiki
    < 1.39.61.40.0 – 1.40.2 (bez)1.41.0 – 1.41.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox

CVE-2023-6345CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Integer overflow w Skia w Google Chrome — sandbox escape