CVE-2024-34502 is a critical security vulnerability found in the WikibaseLexeme extension of MediaWiki, affecting versions prior to 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. The vulnerability arises because the Special:MergeLexemes page improperly processes merge requests without enforcing standard security controls such as requiring a POST method or validating an edit token. This allows an attacker to perform unauthorized merge operations between lexeme entries simply by visiting a crafted URL, bypassing Cross-Site Request Forgery (CSRF) protections. The vulnerability is classified under CWE-352, indicating a CSRF weakness, but with an unusual behavior where even GET requests can trigger state-changing actions. The CVSS v3.1 score of 9.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, as it allows unauthenticated remote attackers to manipulate data without user interaction or privileges. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a critical risk for MediaWiki deployments using the affected extensions. This flaw could lead to unauthorized data merges, data corruption, or disruption of services relying on WikibaseLexeme, impacting the trustworthiness and reliability of the information managed.

For European organizations, the impact of CVE-2024-34502 can be severe, particularly for those using MediaWiki with the WikibaseLexeme extension to manage lexeme or linguistic data, knowledge bases, or collaborative content repositories. Unauthorized merges can corrupt or alter critical data, leading to misinformation, loss of data integrity, and potential operational disruptions. Public sector entities, academic institutions, and cultural organizations that rely on MediaWiki for open data projects or linguistic resources are especially vulnerable. The compromise of data integrity can undermine trust in public information systems and may have cascading effects on dependent services or research. Additionally, the vulnerability could be exploited to disrupt service availability or to manipulate data for disinformation campaigns. Given the critical CVSS score and the lack of required authentication or user interaction, attackers can easily exploit this vulnerability remotely, increasing the risk of widespread impact across European organizations using affected MediaWiki versions.

To mitigate CVE-2024-34502, European organizations should immediately upgrade MediaWiki installations to versions 1.39.6, 1.40.2, or 1.41.1 and later, where the vulnerability is patched. If immediate upgrading is not feasible, administrators should restrict access to the Special:MergeLexemes page by implementing strict access controls, such as IP whitelisting or authentication requirements, to limit exposure. Additionally, web application firewalls (WAFs) can be configured to block suspicious requests attempting to access merge functionality without proper tokens or using GET methods. Monitoring logs for unusual merge activity or unexpected edits can help detect exploitation attempts early. Organizations should also review and harden CSRF protections in their MediaWiki configurations and consider disabling the WikibaseLexeme extension if it is not essential. Regular security audits and vulnerability scanning focused on MediaWiki deployments will help identify and remediate similar issues proactively.