| Date | 2025-10-22 |
| Severity | High |
| Affected |
|
| Fixed in |
|
| CVE |
|
Problem
The following list only contains items from MediaWiki 1.43.5 und 1.39.15, that are actually part of the BlueSpice distribution.
| CVE | Component | Type of vulnerability | BlueSpice 5 | BlueSpice 4 |
|---|---|---|---|---|
| CVE-2025-61634 | MediaWiki Core / REST | Denial Of Service | affected | not affected |
| CVE-2025-61636 | MediaWiki Core / HTMLForm | XSS | affected | not affected |
| CVE-2025-61637 | MediaWiki Core / Preview | XSS | affected | not affected |
| CVE-2025-61638 | MediaWiki Core / Various | XSS | affected | affected |
| CVE-2025-61639 | MediaWiki Core / RecentChanges | Information Disclosure | affected | affected |
| CVE-2025-61640 | MediaWiki Core / RecentChanges | XSS | affected | affected |
| CVE-2025-61641 | MediaWiki Core / ActionAPI | Denial Of Service | affected | affected |
| CVE-2025-61642 | MediaWiki Core / HTMLForm | XSS | affected | not affected |
| CVE-2025-61643 | MediaWiki Core / RecentChanges (Feed) | Information Disclosure | affected | affected |
| CVE-2025-61646 | MediaWiki Core / RecentChanges+Watchlist | Information Disclosure | affected | affected |
| CVE-2025-61635 | Extension:ConfirmEdit | <no information available> | not affected | not affected |
| CVE-2025-61652, CVE-2025-11175 | Extension:DiscussionTools | Information Disclosure | not affected | not affected |
| CVE-2025-11173 | Extension:OATHAuth | Bypass authn at content check | affected | affected |
| CVE-2025-61653 | Extension:TextExtracts | Information Disclosure | affected | affected |
| CVE-2025-61655, CVE-2025-61656 | Extension:VisualEditor | XSS | affected | affected |
| CVE-2025-61657 | Skin:Vector | <no information available> | not affected | not affected |
| CVE-2025-61638 | Parsoid | XSS | affected | affected |
| CVE-2025-53625 | Extension:DynamicPageList | Information Disclosure | affected | affected |
| CVE-2025-59839 | Extension:EmbedVideo | XSS | affected | affected |
| CVE-2025-54370 | Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel | Server-side Request Forgery | affected | affected |
| CVE-2025-3277 | Container bluespice/database
|
Arbitrary Code Execution | not affected | affected |
| CVE-2025-6965 | Container bluespice/database
|
Memory Corruption | not affected | affected |
| CVE-2024-56171 | Container bluespice/database
|
Use-After-Ffree | not affected | affected |
| CVE-2025-54874 | Container bluespice/wiki
|
Memory Corruption | affected | affected |
| CVE-2025-7458 | Container bluespice/wiki
|
Arbitrary SQL Execution | affected | not affected |
Impact assessment
| CVE | Assessment | Mitigation without update |
|---|---|---|
| CVE-2025-11173 | Low | Disable Extension:OATHAuth |
| CVE-2025-11175 | Part of distribution, but disabled by default | - |
| CVE-2025-61634 | Low | - |
| CVE-2025-61635 | Part of distribution, but disabled by default | - |
| CVE-2025-61636 | Low; Affected code not used in BlueSpice by default | - |
| CVE-2025-61637 | Low; Requires admin privileges (NS_MEDIAWIKI)
|
- |
| CVE-2025-61638 | High; Part of standard editing functionality | - |
| CVE-2025-61639 | Medium | - |
| CVE-2025-61640 | Low; Requires admin privileges (NS_MEDIAWIKI)
|
- |
| CVE-2025-61641 | Low | - |
| CVE-2025-61642 | Low; Affected code not used in BlueSpice by default | - |
| CVE-2025-61643 | Medium | - |
| CVE-2025-61646 | Medium | - |
| CVE-2025-61652 | Part of distribution, but disabled by default | |
| CVE-2025-61653 | Medium | Disable Extension:Popups and Extension:HoverCards |
| CVE-2025-61655 | High; Part of standard editing functionality | Disable Extension:VisualEditor |
| CVE-2025-61656 | High; Part of standard editing functionality | Disable Extension:VisualEditor |
| CVE-2025-61657 | Part of distribution, but disabled by default | - |
| CVE-2025-53625 | Medium | Disable Extension:DynamicPageList |
| CVE-2025-59839 | High | Disable Extension:EmbedVideo |
| CVE-2025-54370 | Medium | Disable Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel |
| CVE-2025-3277 | Low | Make sure bluespice/database is properly isolated from unauthorized external access
|
| CVE-2025-6965 | Low | Make sure bluespice/database is properly isolated from unauthorized external access
|
| CVE-2024-56171 | Low | Make sure bluespice/database is properly isolated from unauthorized external access
|
| CVE-2025-54874 | Medium | - |
| CVE-2025-7458 | Medium | - |
Solution
- Update to BlueSpice 5.1.3
- Update to BlueSpice 4.5.7
False positives in 4.5.7 audit
Audit tools may detect
CVE-2025-53625 and CVE-2025-59839 in builds of 4.5.7. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the 4.5.7 release do contain the neccessary fixes for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.
Acknowledgements
Reported by various community members
