Security:Security Advisories/BSSA-2025-03: Difference between revisions

Latest revision as of 12:36, 28 July 2025



Date	2025-07-28
Severity	reported 9.1, BlueSpice assessment: medium
Affected	MediaWiki extensions Scribunto, TabberNeue, TwoColConflict, Quiz
Fixed in	fix not yet available; workaround available
CVE	CVE-2025-53501, CVE-2025-53494, CVE-2025-53093, CVE-2025-7057

Problem

MediaWiki issued a security release affecting several extensions. This is also included in a BSI security advisory WID-SEC-2025-1525.

BlueSpice is mostly not affected, with the notable exception of

Extension:Scribunto. This is shipped in all BlueSpice editions, but only enabled by default in PRO, FARM, CLOUD, ERM and CLOUDOGU edition.
Extension:TabberNeue. This is shipped and enabled only in BlueSpice PRO, FARM, CLOUD, ERM and CLOUDOGU edition
Extension:TwoColConflict. This is shipped and enabled in all BlueSpice editions.
Extension:Quiz. This is shipped but disabled by default in all BlueSpice editions.

Impact assessment

Summary: BlueSpice 4.5.x is affected, but the attack vectors require elevated privileges. BlueSpice 5.1.x is not affected at all.

Extension:Scribunto. In order to exploit the vulnerability, the user must have permission to edit the "Module" namespace.
Extension:TabberNeue. The shipped version is not affected by the issue.
Extension:TwoColConflict. In order to exploit the vulnerability, the user must have permission to edit the "MediaWiki" namespace.
Extension:Quiz In order to exploit the vulnerability, the user must have permission to edit the "MediaWiki" namespace. The extension is disabled by default.

Solution

Hallo Welt! is working on an updated release.

We recommend updating to BlueSpice 4.5.6 (not yet published).
If an update is not possible, customers can simply deactivate the extensions "Scribunto", "TwoColConflict" and if required "Quiz".
For the vulnerability in Extension:Scribunto, one can also lock down the edit permissions of the "Module" namespace.

Acknowledgements

Reported by BSI.

@@ Line 8: / Line 8: @@
 |-
 |Severity
-|Highest reported 8.6 (TabberNeue), BlueSpice assessment: '''low'''
+|reported 9.1, BlueSpice assessment: '''medium'''
 |-
 |Affected
@@ Line 17: / Line 17: @@
 |-
 |CVE
-|[https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501, [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-CVE-2025-7057 CVE-2025-7057]
+|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
 |}
 ==Problem==
-MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/B757OC4UOPKOO4EYXNPUKQY2BS4CQE2E/ security release] affecting several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1525].
+MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/B757OC4UOPKOO4EYXNPUKQY2BS4CQE2E/ security release] affecting several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1525 WID-SEC-2025-1525].
 BlueSpice is mostly not affected, with the notable exception of
@@ Line 41: / Line 41: @@
 * We recommend updating to BlueSpice 4.5.6 (not yet published).
 * If an update is not possible, customers can simply deactivate the extensions "Scribunto", "TwoColConflict" and if required "Quiz".
+* For the vulnerability in Extension:Scribunto, one can also lock down the edit permissions of the "Module" namespace.
 ==Acknowledgements==
 Reported by BSI.