CVE-2024-34502Cross-Site Request Forgery in Mediawiki

CWE-352Cross-Site Request Forgery4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 63.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
MediawikiFedoraproject Fedora
Timeline
PublishedMay 5

Description

An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDmediawiki/mediawiki1.40.01.40.2+2

Also affects: Fedora 40

Patches

Patch: gerrit.wikimedia.orgPatch: gerrit.wikimedia.org

🔴Vulnerability Details

2
CVEList
CVE-2024-34502: An issue was discovered in WikibaseLexeme in MediaWiki before 12024-05-05
GHSA
GHSA-rq44-cfp6-2c3c: An issue was discovered in WikibaseLexeme in MediaWiki before 12024-05-05

📋Vendor Advisories

1
Red Hat
mediawiki: MergeLexemes makes edits on GET requests without edit tokens2024-05-05
CVE-2024-34502 — Cross-Site Request Forgery | cvebase