An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token.
Loading the Special:MergeLexemes page causes an attempt to execute an edit merging the source lexeme (from-id) with the target lexeme (to-id), regardless of the HTTP method used in the request. The mechanism does not check whether the request is a POST method or whether it contains the required edit token that protects against CSRF attacks. An attacker can trick a logged-in user into visiting a specially crafted URL, which will cause the unauthorized merge operation to be executed on their behalf.
An attacker can cause unauthorized merging of lexemes in the wiki database, causing permanent data modification or destruction without the knowledge and consent of an authorized user. With appropriate privileges of the victim, mass damage to the content of the Wikibase repository is possible.
MediaWiki should be updated to version 1.39.6, 1.40.2 or 1.41.1 (depending on the branch used) and ensure that the WikibaseLexeme extension is updated according to the patch available in the Gerrit repository (patch 1013359). Fedora users should apply package updates in accordance with the announcement published on the package-announce mailing list.
MediaWiki with the WikibaseLexeme extension in versions before 1.39.6, 1.40.x before 1.40.2 and 1.41.x before 1.41.1; also affects Fedora distributions containing these versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject40Mediawiki
APPMediawiki< 1.39.61.40.0 – 1.40.2 (bez)1.41.0 – 1.41.1 (bez)
Related vulnerabilities
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox
Integer overflow w Skia w Google Chrome — sandbox escape