No edit summary Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{Featurepage|featured= | {{Featurepage|featured=false|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}} | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
| Line 9: | Line 9: | ||
|- | |- | ||
|Severity | |Severity | ||
|reported 10.0 | |reported 10.0, BlueSpice assessment: '''medium''' | ||
|- | |- | ||
|Affected | |Affected | ||
| Line 29: | Line 29: | ||
==Impact assessment== | ==Impact assessment== | ||
'''Summary''': BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a '''medium''' threat. | |||
* Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards. | * Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards. | ||
* Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop. | * Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop. | ||
Latest revision as of 16:11, 30 April 2025
| Date | 2025-04-17 |
| Severity | reported 10.0, BlueSpice assessment: medium |
| Affected | MediaWiki extension OAuth, ConfirmAccount |
| Fixed in | fix not yet available; workaround available |
| CVE | CVE-2025-32068, CVE-2025-32074 |
Problem
MediaWiki issued a security release affecting core and several extensions. This is also included in a BSI security advisory WID-SEC-2025-0790
BlueSpice is mostly not affected, with the notable exception of
- Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
- Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions
Impact assessment
Summary: BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a medium threat.
- Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
- Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.
Solution
Hallo Welt! is working on an updated release.
- We recommend updating to BlueSpice 4.5.5 (not yet published).
- If an update is not possible, customers can simply deactivate the OAuth extension.
Acknowledgements
Reported by BSI.
