Vulnerability Description
An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mediawiki | Mediawiki | < 1.39.6 |
| Fedoraproject | Fedora | 40 |
Related Weaknesses (CWE)
References
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/1013359PatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://phabricator.wikimedia.org/T357101Issue TrackingVendor Advisory
- https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/1013359PatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://phabricator.wikimedia.org/T357101Issue TrackingVendor Advisory
FAQ
What is CVE-2024-34502?
CVE-2024-34502 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-i...
How severe is CVE-2024-34502?
CVE-2024-34502 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-34502?
Check the references section above for vendor advisories and patch information. Affected products include: Mediawiki Mediawiki, Fedoraproject Fedora.