BlueSpice Helpdesk - User contributions [en]

Security:Security Advisories/BSSA-2025-02

2025-04-17T12:26:59Z

Mglaser1:

{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
{| class="wikitable"
|+
!
!
|-
|Date
|2025-04-17
|-
|Severity
|reported 10.0, BlueSpice assessment: '''medium'''
|-
|Affected
|MediaWiki extension ''OAuth'', ''ConfirmAccount''
|-
|Fixed in
|fix not yet available; workaround available
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
|}

==Problem==
MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/ security release] affecting core and several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?uuid=2ff14d3a-dbb7-4ae8-a0de-369ab22ba6e8 WID-SEC-2025-0790]

BlueSpice is mostly not affected, with the notable exception of
* Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
* Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions

==Impact assessment==
'''Summary''': BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a '''medium''' threat.
* Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
* Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.

== Solution ==

Hallo Welt! is working on an updated release.
* We recommend updating to BlueSpice 4.5.5 (not yet published).
* If an update is not possible, customers can simply deactivate the OAuth extension.

==Acknowledgements==
Reported by BSI.

Security:Security Advisories/BSSA-2025-02

2025-04-17T12:19:24Z

Mglaser1:

{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
{| class="wikitable"
|+
!
!
|-
|Date
|2025-04-17
|-
|Severity
|reported 10.0
|-
|Affected
|MediaWiki extension ''OAuth'', ''ConfirmAccount''
|-
|Fixed in
|fix not yet available; workaround available
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
|}

==Problem==
MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/ security release] affecting core and several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?uuid=2ff14d3a-dbb7-4ae8-a0de-369ab22ba6e8 WID-SEC-2025-0790]

BlueSpice is mostly not affected, with the notable exception of
* Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
* Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions

==Impact assessment==

* Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
* Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.

== Solution ==

Hallo Welt! is working on an updated release.
* We recommend updating to BlueSpice 4.5.5 (not yet published).
* If an update is not possible, customers can simply deactivate the OAuth extension.

==Acknowledgements==
Reported by BSI.

Security:Security Advisories/BSSA-2025-02

2025-04-17T11:57:42Z

Mglaser1: Created page with "{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}} {| class="wikitable" |+ ! ! |- |Date |2025-04-17 |- |Severity |reported 10.0 |- |Affected |MediaWiki extension ''OAuth'', ''ConfirmAccount'' |- |Fixed in |BlueSpice 4.5.4 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074] |}..."

{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
{| class="wikitable"
|+
!
!
|-
|Date
|2025-04-17
|-
|Severity
|reported 10.0
|-
|Affected
|MediaWiki extension ''OAuth'', ''ConfirmAccount''
|-
|Fixed in
|BlueSpice 4.5.4
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
|}

==Problem==
CVE-2025-23081 mentions several security issues with MediaWiki extensions < 1.39.11 .
<br />'''BlueSpice only uses one of these extensions: DataTransfer.'''
* CVE-2025-23072: Concerns ''Extension:RefreshSpecial'' → not included in BlueSpice distribution → not affected
* CVE-2025-23073: Concerns ''Extension:GlobalBlocking'' → not included in BlueSpice distribution → not affected
* CVE-2025-23074: Concerns ''Extension:SocialProfile'' → not included in BlueSpice distribution → not affected
* CVE-2025-23078: Concerns ''Extension:Breadcrumbs2'' → not included in BlueSpice distribution → not affected
* CVE-2025-23079: Concerns ''Extension:ArticleFeedbackv5'' → not included in BlueSpice distribution → not affected
* CVE-2025-23080: Concerns ''Extension:OpenBadges'' → not included in BlueSpice distribution → not affected
* CVE-2025-23081: Concerns '''''Extension:DataTransfer''''' → '''Included in BlueSpice distribution''' → '''affected'''
** → BlueSpice 4.5.3 is affected
** → BlueSpice 4.5.4 ist not affected

==Impact assessment==

* There is no official assessment by the author of the CVE. XSS and CSRF attacks in general allow identity theft and privilege escalation. This security vulnerability can only be exploited by users who are created in the wiki (including those who have been created and blocked).

== Solution ==

* We recommend updating to BlueSpice 4.5.4.
* If an update is not possible, customers can simply deactivate the DataTransfer extension.

==Acknowledgements==
Reported by a customer.

Security:Security Advisories

2025-04-17T11:54:15Z

Mglaser1:

{| class="wikitable sortable" style="width:100%;"
!Release name
!Release date
!Title
!References
!Summary
|-
|[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
|2025-04-17
|Security vulnerabilities in Extension:OAuth
|[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
|Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
|2025-01-20
|Security vulnerabilities in Extension:DataTransfer
|[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
|Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
|2023-07-25
|Ghostscript vulnerability
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|Code can be executed on the server via a manipulated PDF
|-
|[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
|Arbitrary HTML injection through use of interface elements
|-
|[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
|Arbitrary HTML injection through personal menu items
|-
|[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
|Arbitrary HTML injection through the custom menu
|-
|[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
|Arbitrary HTML injection through the book navigation
|-
|[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|Arbitrary HTML injection through user preferences
|-
|[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
|Arbitrary HTML injection through main navigation
|-
|[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
|Arbitrary HTML injection through the 'title' parameter
|-
|[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
|2022-01-31
|XSS attack vector in Search Center
|[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
|JavaScript in search field is reflected back to the browser.
|}

User:Mglaser1

2025-04-17T11:51:28Z

Mglaser1: create user page