| Release name | Release date | Title | References | Summary | Severity |
|---|---|---|---|---|---|
| BSSA-2025-06 | 2025-10-28 | Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution | CVE-2024-56171, CVE-2025-3277, CVE-2025-6965, CVE-2025-11173, CVE-2025-11175,
CVE-2025-53625, CVE-2025-54370, CVE-2025-54874, CVE-2025-59839, CVE-2025-61634, CVE-2025-61635, CVE-2025-61636, CVE-2025-61637, CVE-2025-61638, CVE-2025-61639, CVE-2025-61640, CVE-2025-61641, CVE-2025-61642, CVE-2025-61643, CVE-2025-61646, CVE-2025-61652, CVE-2025-61653, CVE-2025-61655, CVE-2025-61655, CVE-2025-61656, CVE-2025-61656, CVE-2025-61657, CVE-2025-7458 |
Denial Of Service,
Cross-Site Scripting (XSS), Information Disclosure, Bypass authn at content check, Server-side Request Forgery, Arbitrary Code Execution, Memory Corruption, Use-After-Free, Arbitrary SQL Execution |
High |
| BSSA-2025-05 | 2025-09-19 | XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner | CVE-2025-46703, CVE-2025-48007, CVE-2025-57880, CVE-2025-58114 | Medium | |
| BSSA-2025-04 | 2025-09-18 | Security vulnerabilities in services bluespice/search, bluespice/formular and bluespice/wiki
|
CVE-2025-54988, CVE-2025-7783, CVE-2025-58050, CVE-2025-49796 | Denial-of-Service, Information Disclosure | Low |
| BSSA-2025-03 | 2025-07-28 | Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz | CVE-2025-53501, CVE-2025-53494, CVE-2025-53093, CVE-2025-7057 | Information Disclosure, | Medium |
| BSSA-2025-02 | 2025-04-17 | Security vulnerabilities in Extension:OAuth | CVE-2025-32068, CVE-2025-32074 | Allows unauthorized access to the wiki, Cross-Site Scripting (XSS) | Medium |
| BSSA-2025-01 | 2025-01-20 | Security vulnerabilities in Extension:DataTransfer | CVE-2025-23081 | Allows Cross Site Request Forgery, Cross-Site Scripting (XSS) | Medium |
| BSSA-2023-02 | 2023-10-30 | Security vulnerabilities in Extension:BlueSpiceAvatars | CVE-2023-42431 | Allows Cross-Site Scripting (XSS) | Low |
| BSSA-2023-01 | 2023-07-25 | Ghostscript vulnerability | CVE-2023-36664 | Code can be executed on the server via a manipulated PDF | Medium |
| BSSA-2022-08 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-3895 | Arbitrary HTML injection through use of interface elements | Medium |
| BSSA-2022-07 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-3958 | Arbitrary HTML injection through personal menu items | Medium |
| BSSA-2022-06 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-3893 | Arbitrary HTML injection through the custom menu | Low |
| BSSA-2022-05 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-42001 | Arbitrary HTML injection through the book navigation | Low |
| BSSA-2022-04 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-41789, CVE-2022-41814, CVE-2022-42000 | Arbitrary HTML injection through user preferences | Low |
| BSSA-2022-03 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-41611 | Arbitrary HTML injection through main navigation | Low |
| BSSA-2022-02 | 2022-11-15 | XSS attack vector on regular pages | CVE-2022-2511 | Arbitrary HTML injection through the 'title' parameter | Medium |
| BSSA-2022-01 | 2022-01-31 | XSS attack vector in Search Center | CVE-2022-2510 | JavaScript in search field is reflected back to the browser. | Medium |
