CVE-2024-34502

Name of the Vulnerable Software and Affected Versions MediaWiki versions 1.39.6 and earlier, 1.40.x versions prior to 1.40.2, 1.41.x versions prior to 1.41.1

Description An issue was discovered in WikibaseLexeme, related to inadequate access control. This issue allows an attacker to make an edit that merges the from-id to the to-id when loading Special:MergeLexemes, even if the request was not a POST request and does not contain an edit token. The exploitation of this issue may allow a remote attacker to elevate their privileges.

Recommendations For MediaWiki versions 1.39.6 and earlier, update to version 1.39.6 or later. For MediaWiki 1.40.x versions prior to 1.40.2, update to version 1.40.2 or later. For MediaWiki 1.41.x versions prior to 1.41.1, update to version 1.41.1 or later. As a temporary workaround, consider restricting access to the Special:MergeLexemes page until a patch is available.