vulnerability
MediaWiki: Unspecified Security Vulnerability (CVE-2024-34502)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | May 5, 2024 | Jun 20, 2025 | Aug 1, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
May 5, 2024
Added
Jun 20, 2025
Modified
Aug 1, 2025
Description
An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.
Solutions
mediawiki-upgrade-1_39_6mediawiki-upgrade-1_40_2mediawiki-upgrade-1_41_1
References
- CVE-2024-34502
- https://attackerkb.com/topics/CVE-2024-34502
- URL-https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseLexeme/+/1013359
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY/
- URL-https://phabricator.wikimedia.org/T357101
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.