Security:Security Advisories/BSSA-2025-02: Difference between revisions

VisualWikitext
(Created page with "{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}} {| class="wikitable" |+ ! ! |- |Date |2025-04-17 |- |Severity |reported 10.0 |- |Affected |MediaWiki extension ''OAuth'', ''ConfirmAccount'' |- |Fixed in |BlueSpice 4.5.4 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074] |}...")
Tag: 2017 source edit
 
No edit summary
Tag: 2017 source edit
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
{{Featurepage|featured=false|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
{| class="wikitable"
{| class="wikitable"
|+
|+
Line 9: Line 9:
|-
|-
|Severity
|Severity
|reported 10.0
|reported 10.0, BlueSpice assessment: '''medium'''
|-
|-
|Affected
|Affected
Line 15: Line 15:
|-
|-
|Fixed in
|Fixed in
|BlueSpice 4.5.4
|fix not yet available; workaround available
|-
|-
|CVE
|CVE
Line 22: Line 22:


==Problem==
==Problem==
CVE-2025-23081 mentions several security issues with MediaWiki extensions < 1.39.11 .  
MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/ security release] affecting core and several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?uuid=2ff14d3a-dbb7-4ae8-a0de-369ab22ba6e8 WID-SEC-2025-0790]
<br />'''BlueSpice only uses one of these extensions: DataTransfer.'''
 
* CVE-2025-23072: Concerns ''Extension:RefreshSpecial'' → not included in BlueSpice distribution → not affected
BlueSpice is mostly not affected, with the notable exception of
* CVE-2025-23073: Concerns ''Extension:GlobalBlocking'' → not included in BlueSpice distribution → not affected
* Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
* CVE-2025-23074: Concerns ''Extension:SocialProfile'' → not included in BlueSpice distribution → not affected
* Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions
* CVE-2025-23078: Concerns ''Extension:Breadcrumbs2'' → not included in BlueSpice distribution → not affected
* CVE-2025-23079: Concerns ''Extension:ArticleFeedbackv5'' → not included in BlueSpice distribution → not affected
* CVE-2025-23080: Concerns ''Extension:OpenBadges'' → not included in BlueSpice distribution → not affected
* CVE-2025-23081: Concerns '''''Extension:DataTransfer''''' → '''Included in BlueSpice distribution'''  → '''affected'''
** → BlueSpice 4.5.3 is affected
** → BlueSpice 4.5.4 ist not affected


==Impact assessment==
==Impact assessment==
 
'''Summary''': BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a '''medium''' threat.
* There is no official assessment by the author of the CVE. XSS and CSRF attacks in general allow identity theft and privilege escalation. This security vulnerability can only be exploited by users who are created in the wiki (including those who have been created and blocked).
* Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
* Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.


== Solution ==
== Solution ==


* We recommend updating to BlueSpice 4.5.4.
Hallo Welt! is working on an updated release.
* If an update is not possible, customers can simply deactivate the DataTransfer extension.
* We recommend updating to BlueSpice 4.5.5 (not yet published).
* If an update is not possible, customers can simply deactivate the OAuth extension.


==Acknowledgements==
==Acknowledgements==
Reported by a customer.
Reported by BSI.

Latest revision as of 16:11, 30 April 2025

Date 2025-04-17
Severity reported 10.0, BlueSpice assessment: medium
Affected MediaWiki extension OAuth, ConfirmAccount
Fixed in fix not yet available; workaround available
CVE CVE-2025-32068, CVE-2025-32074

Problem

MediaWiki issued a security release affecting core and several extensions. This is also included in a BSI security advisory WID-SEC-2025-0790

BlueSpice is mostly not affected, with the notable exception of

  • Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
  • Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions

Impact assessment

Summary: BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a medium threat.

  • Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
  • Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.

Solution

Hallo Welt! is working on an updated release.

  • We recommend updating to BlueSpice 4.5.5 (not yet published).
  • If an update is not possible, customers can simply deactivate the OAuth extension.

Acknowledgements

Reported by BSI.

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2025-02&oldid=10653"