(Created page with "{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}} {| class="wikitable" |+ ! ! |- |Date |2025-04-17 |- |Severity |reported 10.0 |- |Affected |MediaWiki extension ''OAuth'', ''ConfirmAccount'' |- |Fixed in |BlueSpice 4.5.4 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074] |}...") Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
| Line 15: | Line 15: | ||
|- | |- | ||
|Fixed in | |Fixed in | ||
| | |fix not yet available; workaround available | ||
|- | |- | ||
|CVE | |CVE | ||
| Line 22: | Line 22: | ||
==Problem== | ==Problem== | ||
MediaWiki issued a [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/CIXFJVC57OFRBCCEIDRLZCLFGMYGEYTT/ security release] affecting core and several extensions. This is also included in a BSI security advisory [https://wid.cert-bund.de/portal/wid/securityadvisory?uuid=2ff14d3a-dbb7-4ae8-a0de-369ab22ba6e8 WID-SEC-2025-0790] | |||
BlueSpice is mostly not affected, with the notable exception of | |||
* Extension:OAuth. This is shipped in all BlueSpice versions > 4.4 | |||
* Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions | |||
* | |||
* | |||
==Impact assessment== | ==Impact assessment== | ||
* | * Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards. | ||
* Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop. | |||
== Solution == | == Solution == | ||
* We recommend updating to BlueSpice 4.5. | Hallo Welt! is working on an updated release. | ||
* If an update is not possible, customers can simply deactivate the | * We recommend updating to BlueSpice 4.5.5 (not yet published). | ||
* If an update is not possible, customers can simply deactivate the OAuth extension. | |||
==Acknowledgements== | ==Acknowledgements== | ||
Reported by | Reported by BSI. | ||
Revision as of 14:19, 17 April 2025
| Date | 2025-04-17 |
| Severity | reported 10.0 |
| Affected | MediaWiki extension OAuth, ConfirmAccount |
| Fixed in | fix not yet available; workaround available |
| CVE | CVE-2025-32068, CVE-2025-32074 |
Problem
MediaWiki issued a security release affecting core and several extensions. This is also included in a BSI security advisory WID-SEC-2025-0790
BlueSpice is mostly not affected, with the notable exception of
- Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
- Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions
Impact assessment
- Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
- Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.
Solution
Hallo Welt! is working on an updated release.
- We recommend updating to BlueSpice 4.5.5 (not yet published).
- If an update is not possible, customers can simply deactivate the OAuth extension.
Acknowledgements
Reported by BSI.
