BlueSpice - User contributions [en]

Development

2026-03-17T07:03:30Z

Rvogel1:

This page contains information about how to set up a local development environment for BlueSpice.

== Local development environment based on <code>bluespice-deploy</code> ==
A developer can use the [[Setup:Installation Guide/Docker|default deployment stack]] and alter is to quickly set up a development environment. To do so, first clone the stack to your local machine and navigate into it:
<syntaxhighlight lang="text">
git clone -b 5.2.x git@github.com:hallowelt/bluespice-deploy.git
cd bluespice-deploy/compose
</syntaxhighlight>

Create a proper <code>.env</code> file from the <code>.env.sample</code> and alter/add the following lines:
<syntaxhighlight lang="text">
DATADIR=~/workspace/REL1_43-5.2.x/data
CODEDIR=~/workspace/REL1_43-5.2.x/code
SMTP_HOST=mailhog
SMTP_PORT=1025
</syntaxhighlight>

Create a <code>docker-compose.overrides.yml</code> file with the following content:
<syntaxhighlight lang="yaml">
x-common-dev: &x-common
image: docker.bluespice.com/bluespice-qa/wiki:latest
volumes:
- ${CODEDIR}:/app/bluespice/w/

services:

wiki-installer:
<<: *x-common

wiki-web:
<<: *x-common
restart: no

wiki-task:
<<: *x-common
restart: no

mailhog:
image: mailhog/mailhog
container_name: ${COMPOSE_PROJECT_NAME:-bluespice}-mailhog
environment:
VIRTUAL_HOST: ${WIKI_HOST}
VIRTUAL_PATH: /_mailhog/
VIRTUAL_PORT: 8025
VIRTUAL_DEST: /
restart: no

cache:
restart: no

collabpads:
restart: no

collabpads-database:
restart: no

database:
restart: no

diagram:
restart: no

formula:
restart: no

pdf:
restart: no

proxy:
restart: no

search:
restart: no

wire:
restart: no
</syntaxhighlight>

This will make the stack use your local codebase from <code>$CODEDIR</code> and also expose a Mailhog web interface on <code>$Wiki_HOST/_mailhog</code>.

In addition, if you want to work with a custom build of the <code>bluespice/wiki</code> container, you can add an <code>image:</code> entry to the respective services. Example
<syntaxhighlight lang="yaml">
wiki-installer:
image: bluespice/wiki:dev
...
wiki-web:
image: bluespice/wiki:dev
...

wiki-task:
image: bluespice/wiki:dev
...
</syntaxhighlight>or you set<blockquote>BLUESPICE_WIKI_IMAGE=bluespice/wiki:dev</blockquote>in your <code>.env</code>-File

Security:Security Advisories

2026-03-04T15:36:17Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
!Severity
|-
|[[Security:Security Advisories/BSSA-2026-02|BSSA-2026-02]]
|2026-03-04
|Security vulnerability in BlueSpice Database container and NSFileRepo extension.
|[https://avd.aquasec.com/nvd/2025/cve-2025-15467 CVE-2025-15467],
[https://avd.aquasec.com/nvd/2026/cve-2026-24732 CVE-2026-24732]
|Buffer Overflow; Information disclosure
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2026-01|BSSA-2026-01]]
|2026-01-28
|Security vulnerability in BlueSpice Collabpads database container.
|[https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
|Read of uninitialized heap memory
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-07|BSSA-2025-07]]
|2025-12-10
|Security vulnerability in BlueSpice Search container.
|[https://avd.aquasec.com/nvd/2025/cve-2025-66516 CVE-2025-66516]
|XML Entity Injection
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-06|BSSA-2025-06]]
|2025-10-28
|Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution
|[https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171], [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277], [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965], [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173], [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175],
[https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625],
[https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370],
[https://www.cve.org/CVERecord?id=CVE-2025-54874 CVE-2025-54874],
[https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839],
[https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634],
[https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635],
[https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636],
[https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637],
[https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638],
[https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639],
[https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640],
[https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641],
[https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642],
[https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643],
[https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646],
[https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652],
[https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657],
[https://www.cve.org/CVERecord?id=CVE-2025-7458 CVE-2025-7458]
|Denial Of Service,
Cross-Site Scripting (XSS),
Information Disclosure,
Bypass authn at content check,
Server-side Request Forgery,
Arbitrary Code Execution,
Memory Corruption,
Use-After-Free,
Arbitrary SQL Execution
| style="" class="col-red-bg" |High
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure,
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2023-02|BSSA-2023-02]]
|2023-10-30
|Security vulnerabilities in Extension:BlueSpiceAvatars
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|Allows Cross-Site Scripting (XSS)
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
| style="" class="col-orange-bg" |Medium
|}

Security:Security Advisories/BSSA-2026-02

2026-03-04T15:32:37Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2026-03-04
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in LTS version < 5.1.5
BlueSpice PRO/FARM < 5.1.4

BlueSpice PRO/FARM < 5.2.0
|-
|Fixed in
|BlueSpice PRO/FARM 5.1.4
BlueSpice PRO/FARM 5.2.1
|-
|CVE
|
* [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467]
* [https://avd.aquasec.com/nvd/2026/cve-2026-24732 CVE-2026-24732]
|}

==Problem==
{| class="wikitable"
!'''CVE'''
!'''Component'''
!'''Type of vulnerability'''
!'''BlueSpice 5'''
!'''BlueSpice 4'''
|-
|CVE-2025-15467
|Container <code>bluespice/database</code>
|Buffer Overflow
| style="" class="col-purple-bg" |affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2026-24732
|Extension:NSFileRepo
|Information Disclosure
| style="" class="col-purple-bg" |affected
| style="" class="col-green-bg" |not affected
|}

==Impact assessment==
{| class="wikitable" style="width: 100%;"
!CVE
!Assessment
!Mitigation without update
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-15467
| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low, as by default configuration of <code>bluespice-deploy</code>, this is not exploitable
| style="vertical-align:middle;text-align:left;" |Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|-
|CVE-2026-24732
| style="" class="col-orange-bg" |Low, as by default configuration of BlueSpice MediaWiki, this is not exploitable. The affected type of configuration is considered an edge-case.
|Make sure <code>$wgGroupPermissions['*']['read']</code> is set to <code>false</code> in the <code>LocalSettings.php</code>.
|}

== Solution ==
Update to BlueSpice 5.1.4+ or 5.2.1+

Security:Security Advisories/BSSA-2026-02

2026-03-04T13:01:32Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2026-03-04
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in LTS version < 5.1.5
BlueSpice PRO/FARM < 5.1.5
BlueSpice PRO/FARM < 5.2.0
|-
|Fixed in
|BlueSpice PRO/FARM 5.1.4
BlueSpice PRO/FARM 5.2.1
|-
|CVE
|
* [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467]
* [https://avd.aquasec.com/nvd/2026/cve-2026-24732 CVE-2026-24732]
|}

==Problem==
{| class="wikitable"
!'''CVE'''
!'''Component'''
!'''Type of vulnerability'''
!'''BlueSpice 5'''
!'''BlueSpice 4'''
|-
|CVE-2025-15467
|Container <code>bluespice/database</code>
|Buffer Overflow
| style="" class="col-purple-bg" |affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2026-24732
|
|Information Disclosure
| style="" class="col-purple-bg" |affected
| style="" class="col-green-bg" |not affected
|}

==Impact assessment==
{| class="wikitable" style="width: 100%;"
!CVE
!Assessment
!Mitigation without update
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-15467
| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low
| style="vertical-align:middle;text-align:left;" |Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|-
|CVE-2026-24732
| style="" class="col-purple-bg" |Medium
|None
|}

== Solution ==
To mitigate <code>CVE-2026-24732</code> , please update to

Security:Security Advisories/BSSA-2026-02

2026-03-04T13:00:54Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2026-01-29
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in LTS version < 5.1.5
BlueSpice PRO/FARM < 5.1.5
BlueSpice PRO/FARM < 5.2.0
|-
|Fixed in
|BlueSpice PRO/FARM 5.1.4
BlueSpice PRO/FARM 5.2.1
|-
|CVE
|
* [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467]
* [https://avd.aquasec.com/nvd/2026/cve-2026-24732 CVE-2026-24732]
|}

==Problem==
{| class="wikitable"
!'''CVE'''
!'''Component'''
!'''Type of vulnerability'''
!'''BlueSpice 5'''
!'''BlueSpice 4'''
|-
|CVE-2025-15467
|Container <code>bluespice/database</code>
|Buffer Overflow
| style="" class="col-purple-bg" |affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2026-24732
|
|Information Disclosure
| style="" class="col-purple-bg" |affected
| style="" class="col-green-bg" |not affected
|}

==Impact assessment==
{| class="wikitable" style="width: 100%;"
!CVE
!Assessment
!Mitigation without update
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-15467
| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low
| style="vertical-align:middle;text-align:left;" |Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|-
|CVE-2026-24732
| style="" class="col-purple-bg" |Medium
|None
|}

== Solution ==
To mitigate <code>CVE-2026-24732</code> , please update to

Security:Security Advisories/BSSA-2026-01

2026-03-04T12:52:08Z

Rvogel1: Undo previous change; Will go into dedicated BSSA

{| class="wikitable"
|+
!
!
|-
|Date
|2026-01-29
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in current LTS version < 5.1.4
|-
|Fixed in
|5.2.1, 5.1.5
|-
|CVE
| [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
|}

==Problem==
* Service <code>collabpads-database</code> (image name: <code>mongo</code> ) - [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]

==Impact assessment==
* Service <code>collabpads-database</code> (image name: <code>mongo</code> )
** A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.

== Solution ==
To mitigate <code>CVE-2025-14847</code> use one of the following options:

# Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
# Update the <code>mongo</code> docker image via BlueSpice's deploy tool: <code>bluespice-deploy pull collabpads-database && bluespice-deploy up -d</code>
# Update to version >=5.1.5 or >=5.2.1 of the BlueSpice images

Security:Security Advisories/BSSA-2026-02

2026-03-04T12:20:41Z

Rvogel1: Created page with "{| class="wikitable" |+ ! ! |- |Date |2026-01-29 |- |Severity |reported "high", BlueSpice assessment: '''low''' |- |Affected | Services in current LTS version < 5.1.4 |- |Fixed in | |- |CVE | * [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847] * [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467] |} ==Problem== {| class="wikitable" !'''CVE''' !'''Component''' !'''Type of vulnerability''' !'''BlueSpice 5''' !'''BlueSpice 4''' |- |CVE-2025-148..."

{| class="wikitable"
|+
!
!
|-
|Date
|2026-01-29
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in current LTS version < 5.1.4
|-
|Fixed in
|
|-
|CVE
|
* [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
* [https://avd.aquasec.com/nvd/2025/cve-2025-15467/ CVE-2025-15467]
|}

==Problem==
{| class="wikitable"
!'''CVE'''
!'''Component'''
!'''Type of vulnerability'''
!'''BlueSpice 5'''
!'''BlueSpice 4'''
|-
|CVE-2025-14847
|<code>container collabpads-database(image:mongo:8.0)</code>
|Information Disclosure
| style="" class="col-purple-bg" |affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-15467
|Container <code>bluespice/database</code>
|Buffer Overflow
| style="" class="col-purple-bg" |affected
| style="" class="col-purple-bg" |affected
|}

==Impact assessment==
* Service <code>collabpads-database</code> (image name: <code>mongo</code> )
** A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.
{| class="wikitable" style="width: 100%;"
!CVE
!Assessment
!Mitigation without update
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-14847
| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low
| style="vertical-align:middle;text-align:left;" |Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|-
|CVE-2025-15467
| style="" class="col-orange-bg" |Low
|Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups
|}

== Solution ==
To mitigate <code>CVE-2025-14847</code> use one of the following options:

# Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
# Update the <code>mongo</code> docker image via BlueSpice's deploy tool: <code>bluespice-deploy pull collabpads-database && bluespice-deploy up -d</code>

Confluence migration

2026-02-27T09:59:22Z

Rvogel1: /* Roadmap */

''Hallo Welt!'' has created a migration tool that can be used to import Confluence spaces into a MediaWiki or BlueSpice installation. This is a command line tool and you need access to your MediaWiki or BlueSpice server environment.

==Migration tool==
The [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data migration tool can be found on GitHub] and is [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data documented there].

==Extensions==
The output generated by the tool contains certain elements that require '''additional extensions''' to activate. These extensions are already included in a BlueSpice Pro installation:

#[[mediawikiwiki:Extension:TemplateStyles|TemplateStyles]]
#[[mediawikiwiki:Extension:ParserFunctions|ParserFunctions]]
#[[mediawikiwiki:Extension:SimpleTasks|SimpleTasks]]
#[[mediawikiwiki:Extension:Semantic_MediaWiki|Semantic MediaWiki]]
#[[mediawikiwiki:Extension:Header_Tabs|HeaderTabs]]
#[[mediawikiwiki:Extension:SubPageList|SubPageList]]

==Macro check==
On the BlueSpice website, you can use a [https://bluespice.com/confluence-migration-process/#confluence-migration-input-desktop macro check] to see which Confluence macros are not automatically converted. If an important macro is marked as unsupported, the content can most likely still be transferred.
[[File:Confluence macro check.png|alt=Textarea for adding a list of macros (with step-by-step instructions)|center|thumb|650x650px|Macro check]]

== Not migrated ==
The following Confluence elements are excluded from the migration:

*User identities
*Comments
*Various macros
*Various layouts
*Blog posts
*Files in an area that cannot be assigned to a page

== Roadmap ==
* March '26: Provide Docker Container (ERM46685) - Eases installation and allows for better automation
* March/April '26: Allow for parallel processing (ERM45405) - Speeds up conversion of large Confluence exports
* March/April '26: Migrate blogs posts to [[mw:Extension:SimpleBlogPage]] pages (ERM46628) - Additional content
* March/April '26: Migrate page comments to [[mw:Extension:CommentStreams]] threads (ERM46627) - Additional content
* April '26: Add support for historic page and file revisions (ERM35013) - Additional content

==More information==

*https://bluespice.com/migration-from-confluence-to-bluespice-mediawiki/
*https://bluespice.com/mediawiki-versus-confluence-not-a-question-of-features/

[[de:Confluence Migration]]
[[Category:Setup]]

Confluence migration

2026-02-27T09:57:46Z

Rvogel1:

''Hallo Welt!'' has created a migration tool that can be used to import Confluence spaces into a MediaWiki or BlueSpice installation. This is a command line tool and you need access to your MediaWiki or BlueSpice server environment.

==Migration tool==
The [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data migration tool can be found on GitHub] and is [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data documented there].

==Extensions==
The output generated by the tool contains certain elements that require '''additional extensions''' to activate. These extensions are already included in a BlueSpice Pro installation:

#[[mediawikiwiki:Extension:TemplateStyles|TemplateStyles]]
#[[mediawikiwiki:Extension:ParserFunctions|ParserFunctions]]
#[[mediawikiwiki:Extension:SimpleTasks|SimpleTasks]]
#[[mediawikiwiki:Extension:Semantic_MediaWiki|Semantic MediaWiki]]
#[[mediawikiwiki:Extension:Header_Tabs|HeaderTabs]]
#[[mediawikiwiki:Extension:SubPageList|SubPageList]]

==Macro check==
On the BlueSpice website, you can use a [https://bluespice.com/confluence-migration-process/#confluence-migration-input-desktop macro check] to see which Confluence macros are not automatically converted. If an important macro is marked as unsupported, the content can most likely still be transferred.
[[File:Confluence macro check.png|alt=Textarea for adding a list of macros (with step-by-step instructions)|center|thumb|650x650px|Macro check]]

== Not migrated ==
The following Confluence elements are excluded from the migration:

*User identities
*Comments
*Various macros
*Various layouts
*Blog posts
*Files in an area that cannot be assigned to a page

== Roadmap ==
# Provide Docker Container (ERM46685) - Eases installation and allows for better automation
# Allow for parallel processing (ERM45405) - Speeds up conversion of large Confluence exports
# Migrate blogs posts to [[mw:Extension:SimpleBlogPage]] pages (ERM46628) - Additional content
# Migrate page comments to [[mw:Extension:CommentStreams]] threads (ERM46627) - Additional content
# Add support for historic page and file revisions (ERM35013) - Additional content

==More information==

*https://bluespice.com/migration-from-confluence-to-bluespice-mediawiki/
*https://bluespice.com/mediawiki-versus-confluence-not-a-question-of-features/

[[de:Confluence Migration]]
[[Category:Setup]]

Confluence migration

2026-02-27T09:54:22Z

Rvogel1:

''Hallo Welt!'' has created a migration tool that can be used to import Confluence spaces into a MediaWiki or BlueSpice installation. This is a command line tool and you need access to your MediaWiki or BlueSpice server environment.

==Migration tool==
The [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data migration tool can be found on GitHub] and is [https://github.com/hallowelt/migrate-confluence?tab=readme-ov-file#migrate-confluence-xml-export-to-mediawiki-import-data documented there].

==Extensions==
The output generated by the tool contains certain elements that require '''additional extensions''' to activate. These extensions are already included in a BlueSpice Pro installation:

#[[mediawikiwiki:Extension:TemplateStyles|TemplateStyles]]
#[[mediawikiwiki:Extension:ParserFunctions|ParserFunctions]]
#[[mediawikiwiki:Extension:SimpleTasks|SimpleTasks]]
#[[mediawikiwiki:Extension:Semantic_MediaWiki|Semantic MediaWiki]]
#[[mediawikiwiki:Extension:Header_Tabs|HeaderTabs]]
#[[mediawikiwiki:Extension:SubPageList|SubPageList]]

==Macro check==
On the BlueSpice website, you can use a [https://bluespice.com/confluence-migration-process/#confluence-migration-input-desktop macro check] to see which Confluence macros are not automatically converted. If an important macro is marked as unsupported, the content can most likely still be transferred.
[[File:Confluence macro check.png|alt=Textarea for adding a list of macros (with step-by-step instructions)|center|thumb|650x650px|Macro check]]

== Not migrated ==
The following Confluence elements are excluded from the migration:

*User identities
*Comments
*Various macros
*Various layouts
*Blog posts
*Files in an area that cannot be assigned to a page

== Roadmap ==
# Provide Docker Container - Eases installation and allows for better automation
# Allow for parallel processing (ERM45405) - Speeds up conversion of large Confluence exports
# Migrate blogs posts to [[mw:Extension:SimpleBlogPage]] pages (ERM46628) - Additional content
# Migrate page comments to [[mw:Extension:CommentStreams]] threads (ERM46627) - Additional content
# Add support for historic page and file revisions (ERM35013) - Additional content

==More information==

*https://bluespice.com/migration-from-confluence-to-bluespice-mediawiki/
*https://bluespice.com/mediawiki-versus-confluence-not-a-question-of-features/

[[de:Confluence Migration]]
[[Category:Setup]]

Development

2026-02-23T16:19:05Z

Rvogel1: Created page with "This page contains information about how to set up a local development environment for BlueSpice. == Local development environment based on <code>bluespice-deploy</code> == A developer can use the default deployment stack and alter is to quickly set up a development environment. To do so, first clone the stack to your local machine and navigate into it: <syntaxhighlight lang="text"> git clone -b 5.2.x git@github.com:hallowelt/bluespic..."

This page contains information about how to set up a local development environment for BlueSpice.

== Local development environment based on <code>bluespice-deploy</code> ==
A developer can use the [[Setup:Installation Guide/Docker|default deployment stack]] and alter is to quickly set up a development environment. To do so, first clone the stack to your local machine and navigate into it:
<syntaxhighlight lang="text">
git clone -b 5.2.x git@github.com:hallowelt/bluespice-deploy.git
cd bluespice-deploy/compose
</syntaxhighlight>

Create a proper <code>.env</code> file from the <code>.env.sample</code> and alter/add the following lines:
<syntaxhighlight lang="text">
DATADIR=~/workspace/REL1_43-5.2.x/data
CODEDIR=~/workspace/REL1_43-5.2.x/code
SMTP_HOST=mailhog
SMTP_PORT=1025
</syntaxhighlight>

Create a <code>docker-compose.overrides.yml</code> file with the following content:
<syntaxhighlight lang="yaml">
services:

wiki-installer:
image: docker.bluespice.com/bluespice-qa/wiki:latest
volumes:
- ${CODEDIR}:/app/bluespice/w/

wiki-web:
image: docker.bluespice.com/bluespice-qa/wiki:latest
volumes:
- ${CODEDIR}:/app/bluespice/w/

wiki-task:
image: docker.bluespice.com/bluespice-qa/wiki:latest
volumes:
- ${CODEDIR}:/app/bluespice/w/

mailhog:
image: mailhog/mailhog
container_name: mailhog
environment:
VIRTUAL_HOST: ${WIKI_HOST}
VIRTUAL_PATH: /_mailhog
VIRTUAL_PORT: 8025
VIRTUAL_DEST: /
</syntaxhighlight>

This will make the stack use your local codebase from <code>$CODEDIR</code> and also expose a Mailhog web interface on <code>$Wiki_HOST/_mailhog</code>.

In addition, if you want to work with a custom build of the <code>bluespice/wiki</code> container, you can add an <code>image:</code> entry to the respective services. Example
<syntaxhighlight lang="yaml">
wiki-installer:
image: bluespice/wiki:dev
...
wiki-web:
image: bluespice/wiki:dev
...

wiki-task:
image: bluespice/wiki:dev
...
</syntaxhighlight>

Security:Security Advisories

2026-01-28T14:39:45Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
!Severity
|-
|[[Security:Security Advisories/BSSA-2026-01|BSSA-2026-01]]
|2026-01-28
|Security vulnerability in BlueSpice Collabpads database container.
|[https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
|Read of uninitialized heap memory
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-07|BSSA-2025-07]]
|2025-12-10
|Security vulnerability in BlueSpice Search container.
|[https://avd.aquasec.com/nvd/2025/cve-2025-66516 CVE-2025-66516]
|XML Entity Injection
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-06|BSSA-2025-06]]
|2025-10-28
|Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution
|[https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171], [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277], [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965], [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173], [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175],
[https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625],
[https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370],
[https://www.cve.org/CVERecord?id=CVE-2025-54874 CVE-2025-54874],
[https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839],
[https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634],
[https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635],
[https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636],
[https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637],
[https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638],
[https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639],
[https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640],
[https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641],
[https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642],
[https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643],
[https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646],
[https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652],
[https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657],
[https://www.cve.org/CVERecord?id=CVE-2025-7458 CVE-2025-7458]
|Denial Of Service,
Cross-Site Scripting (XSS),
Information Disclosure,
Bypass authn at content check,
Server-side Request Forgery,
Arbitrary Code Execution,
Memory Corruption,
Use-After-Free,
Arbitrary SQL Execution
| style="" class="col-red-bg" |High
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure,
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2023-02|BSSA-2023-02]]
|2023-10-30
|Security vulnerabilities in Extension:BlueSpiceAvatars
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|Allows Cross-Site Scripting (XSS)
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
| style="" class="col-orange-bg" |Medium
|}

Security:Security Advisories/BSSA-2026-01

2026-01-28T14:32:17Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2026-01-29
|-
|Severity
|reported "high", BlueSpice assessment: '''low'''
|-
|Affected
| Services in current LTS version < 5.1.4
|-
|Fixed in
|5.2.1, 5.1.5
|-
|CVE
| [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]
|}

==Problem==
* Service <code>collabpads-database</code> (image name: <code>mongo</code> ) - [https://avd.aquasec.com/nvd/2025/cve-2025-14847 CVE-2025-14847]

==Impact assessment==
* Service <code>collabpads-database</code> (image name: <code>mongo</code> )
** A unauthenticated MongoDB client can attack the service if reachable. By default BlueSpice setup, the service runs only in the background and can not be accessed from outside the virtual network. So not even unauthenticated access is possible from any external location.

== Solution ==
To mitigate <code>CVE-2025-14847</code> use one of the following options:

# Make sure the service has no access to the internet. This is the default configuration of BlueSpice setups.
# Update the <code>mongo</code> docker image via BlueSpice's deploy tool: <code>bluespice-deploy pull collabpads-database && bluespice-deploy up -d</code>
# Update to version >=5.1.5 or >=5.2.1 of the BlueSpice images

Setup:Installation Guide/Docker

2026-01-22T14:02:42Z

Rvogel1:

== Overview ==
Starting with version 4.5, BlueSpice MediaWiki can be installed with a stack of Docker container images.

Everything is built in a modular way to allow different types of setups.

The most common cases are:
# "All-in-one" (with and without Let's Encrypt)
# Custom database and search service
# Custom load balancer / proxy

== Architecture ==
<drawio filename="Setup:Installation_Guide_Docker-Achitecture" alt="Diagram of BlueSpice Docker Stack Architecture" />

'''Notes'''
* Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
** HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
* Proprietary ports (esp. for database connections) are noted next to the respective services.
* There may be additional services and ports in use, based on the setup. Some examples:
** When using LDAP based authentication an LDAPS connection (port <code>636</code>) is used from the <code>bluespice/wiki</code> containers to the LDAP-Server
** When using Kerberos authentication, a connection (port <code>88</code>) is used from the <code>bluespice/kerberos-proxy</code> containers to the Kerberos-Server
** When using DeepL or OpenAI services, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> containers to to the respective service
** When using OpenIDConnect authentication, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> "task" container to to the authentication provider
** When using "Let's Encrypt" Certbot, a HTTPS connection (port <code>443</code>) is used from the <code>acme-companion</code> container to the "Let's Encrypt" service

== Step 1: Get the stack ==
Load project <code>bluespice-deploy</code> from https://github.com/hallowelt/bluespice-deploy/releases/latest and enter the sub-directory <code>compose</code> for Docker Compose files.

For example, run:
<syntaxhighlight lang=sh>
wget https://github.com/hallowelt/bluespice-deploy/archive/refs/tags/5.2.1.zip \
&& unzip 5.2.1.zip \
&& cd bluespice-deploy-5.2.1/compose
</syntaxhighlight>

The directory contains the following files:
{| class="wikitable"
|+
! style="width:375px;" |Filename
! style="" |Type
! style="" |Comment
|-
| style="width:375px;" |<code>bluespice-deploy</code>
| style="" |shell script
| style="" |Start-up script, wrapping command <code>docker compose</code> and service <code>yml</code> files. Additional service <code>yml</code> files can be loaded by adding <code>-f <filename> </code>.
|-
| style="width:375px;" |<code>docker-compose.main.yml</code>
| style="" |yml
| style="" |Main containers of the wiki (<code>wiki-web</code> and <code>wiki-task</code>).
|-
| style="width:375px;" |<code>docker-compose.persistent-data-services.yml</code>
| style="" |yml
| style="" |Containers of database and search services, storing persistent data onto the file system. Optionally with external MySQL/MariaDB and OpenSearch one can skip loading this <code>.yml</code> in <code>bluespice-deploy</code>. Please then wire your services properly in the <code>.env</code> file.
|-
| style="width:375px;" |<code>docker-compose.stateless-services.yml</code>
| style="" |yml
| style="" |Containers for caching, PDF rendering, formula-rendering and diagram editing.
|-
| style="width:375px;" |<code>docker-compose.helper-service.yml</code>
| style="" |yml
| style="" |Helper containers for file system preparation and automated BlueSpice upgrade. These containers exit automatically after finishing tasks.
|-
| style="width:375px;" |<code>docker-compose.proxy.yml</code>
| style="" |yml
| style="" |Container of proxy service. Can be replaced by existing proxy/load-balancer infrastructure.
|-
| style="width:375px;" |<code>docker-compose.proxy-letsencrypt.yml</code>
| style="" |yml
| style="" |Additional service for auto-renewal of "Let's Encrypt" certificates. Only required when using the Let's Encrypt service and having no other TLS termination.
|-
| style="width:375px;" |<code>docker-compose.kerberos-proxy.yml</code>
| style="" |yml
| style="" |Additional proxy for Kerberos based authentication.
|-
| style="width:375px;" |<code>docker-compose.collabpads-service.yml</code>
|yml
|Containers of back-end services for [[Manual:Extension/CollabPads|CollabPads]] (included in Pro and Farm editions).
|-
| style="width:375px;" |<code>.env.sample</code>
| style="" |text
| style="" |Sample for creating <code>.env</code> that defines key environment variables.
|-
| style="width:375px;" |<code>bluespice.service.demo</code>
| style="" |service script
| style="" |Demo-file for control the BlueSpice stack as a <code>systemctl</code> service. One can create e.g a <code>/etc/systemd/system/bluespice.service</code>.
|}

== Step 2: Set up environment variables ==
Create your <code>.env</code> based on the sample file <code>.env.sample</code>.

Example:
<pre>
# set or use your data directory
DATADIR=/data/bluespice
VERSION=5.1.3
EDITION=free
BACKUP_HOUR=04

WIKI_NAME=BlueSpice
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https
WIKI_BASE_PATH=

DB_USER=set_or_use_your_db_user_name
DB_PASS=SET_OR_USE_YOUR_DB_PASS_WORD
DB_ROOT_USER=root
DB_ROOT_PASS=$DB_PASS
DB_HOST=database
DB_NAME=bluespice
DB_PREFIX=

SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...

LETSENCRYPT=false
</pre>
{{Textbox|boxtype=note|header=Different editions|text=This config works for all editions, but the main image of Pro or Farm edition needs to be obtained differently, see [[{{FULLPAGENAME}}/Pro and Farm edition|Pro and Farm edition]]|icon=yes}}

== Step 3: Start the stack ==
Use <code>bluespice-deploy up -d</code> to start the stack. Once all containers are shown as "ready" you can navigate to <code>$WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT</code> (e.g. <code><nowiki>https://wiki.company.local</nowiki></code>) in your preferred web browser and start using the application.

When starting the stack the first time, the <code>wiki-task</code> container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default <code>Admin</code> user can be found in <code>$DATADIR/wiki/initialAdminPassword</code>.

== Additional options ==

=== Add Customizations to containers ===
Starting with bluespice-deploy 5.1.4 and 5.2.0 Branches, we allow to edit and maintan a separate <code>docker-compose.override,yml</code> which will be ignored by git.

This way you can add your own Container-Configurations and be able to maintain your git status up to date. just place the file next to the other docker-compose.*.ymls and run ./bluespice-deploy up -d

Example:<syntaxhighlight lang="yaml">
services:
wiki-web:
volumes:
- /backup/:/data/backup
wiki-task:
volumes:
- /backup/:/data/backup
</syntaxhighlight>

=== Configs for <code>LocalSettings.php</code> ===
Instead of exposing the <code>LocalSettings.php</code> for [[mediawikiwiki:Manual:LocalSettings.php|adding additional configurations]], the stack offers two entry points. After the initial installation, you can add your configs to two files in <code>${DATADIR}/wiki/bluespice/</code>:

* <code>pre-init-settings.php</code> - Set configs before the initialization of BlueSpice's debug logging, libraries, skins, extensions and default settings. Configs set here can be picked up by the init process.
* <code>post-init-settings.php</code> - Set configs after the initialization, manipulating configs that have been set by the init process.
For example, if you add the following lines to <code>pre-init-settings.php</code>, you can then read outputted debug logs (if any) in <code>${DATADIR}/wiki/bluespice/logs/debug.log</code>:<syntaxhighlight lang="php">
$GLOBALS['bsgDebugLogGroups']['exception'] = "/data/bluespice/logs/debug.log";
$wgShowExceptionDetails = true;
</syntaxhighlight>

=== Maintenance scripts ===
To run [[Setup:Installation Guide/Advanced/Maintenance scripts|maintenance scripts]] from MediaWiki or from other extensions, please use the <code>wiki-task</code> container, which handles all back-end jobs and processes. You can connect into the container in two different ways:

* run <code>./bluespice-deploy exec -it wiki-task bash</code> in the <code>compose</code> directory for Docker Compose files
* or alternatively, run <code>docker exec -it bluespice-wiki-task bash</code> wherever you are on the host machine

Inside the container you can enter the wiki's code base with <code>cd /app/bluespice/w</code> , where one can run scripts like <code>php maintenance/run.php update --quick</code>, <code>php extensions/BlueSpiceExtendedSearch/maintenance/updateWikiPageIndex.php</code> and so on.

=== SSL certificates ===
To use a Let's Encrypt certificate for your domain name, set <code>LETSENCRYPT=true</code> in your <code>.env</code> file.

To use a self-signend certificate for your domain name, put its <code>.crt</code> and <code>.key</code> files in <code>${DATADIR}/proxy/certs</code>. For example, with <code>wiki.company.local</code> you should prepare <code>wiki.company.local.crt</code> and <code>wiki.company.local.key</code> files.

=== Kerberos proxy ===
For implicit authentication using Kerberos, an additional proxy must be used: <code>bluespice/kerberos-proxy</code> . The file <code>docker-compose.kerberos-proxy.yml</code> contains a common configuration. It can be used '''instead of''' the regular <code>docker-compose.proxy.yml</code> file inside <code>bluespice-deploy</code> .

Make sure to have the files

* <code>${DATADIR}/kerberos/krb5.conf</code>
* <code>${DATADIR}/kerberos/kerberos.keytab</code>

set up properly.

The file <code>${DATADIR}/wiki/bluespice/pre-init-settings.php</code> can then be used to set up [[mediawikiwiki:LDAP_hub|"Extension:Auth_remoteuser" and the LDAP stack extensions]].

=== SAML authentication ===
During the initial installation a certificate for message signing will automatically be created. It can be found in <code>${DATADIR}/wiki/simplesamlphp/certs/</code>.

In order to configure a remote IdP, one must copy the IdP metadata XML to a file called <code>${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml</code>. The SP metadata can then be obtained via <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp</nowiki></code>. It must be configured in the remote IdP.

{{Textbox
|boxtype=tip
|header=Test authentication
|text= You can test authentication directly within the SimpleSAMLphp application. To do so, navigate to <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/admin</nowiki></code> and log in with <code>admin</code> and the <code>INTERNAL_SIMPLESAMLPHP_ADMIN_PASS</code> found in <code>${DATADIR}/wiki/.wikienv</code>
|icon=yes
}}

Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add

<syntaxhighlight lang="php">
wfLoadExtensions( [
'PluggableAuth',
'SimpleSAMLphp'
] );
</syntaxhighlight>[[File:Setup:SAML ConfigManager EN 01.png|thumb|300x300px]]to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".

=== OpenID Connect authentication ===

The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add<syntaxhighlight lang="php">
wfLoadExtensions( [
'PluggableAuth',
'OpenIDConnect'
] );
</syntaxhighlight>to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".

[[de:Setup:Installationsanleitung/Docker]]

Setup:Installation Guide/Docker

2026-01-22T14:00:52Z

Rvogel1:

== Overview ==
Starting with version 4.5, BlueSpice MediaWiki can be installed with a stack of Docker container images.

Everything is built in a modular way to allow different types of setups.

The most common cases are:
# "All-in-one" (with and without Let's Encrypt)
# Custom database and search service
# Custom load balancer / proxy

== Architecture ==
<drawio filename="Setup:Installation_Guide_Docker-Achitecture" alt="Diagram of BlueSpice Docker Stack Architecture" />

'''Notes'''
* Internal HTTP connections may use non-standard ports. Those are noted next to the respective services.
** HTTP (in-secure) is only used for internal communication within the virtual network the stack is operated in. All connections to the client use TLS.
* Proprietary ports (esp. for database connections) are noted next to the respective services.
* There may be additional services and ports in use, based on the setup. Some examples:
** When using LDAP based authentication an LDAPS connection (port <code>636</code>) is used from the <code>bluespice/wiki</code> containers to the LDAP-Server
** When using Kerberos authentication, a connection (port <code>88</code>) is used from the <code>bluespice/kerberos-proxy</code> containers to the Kerberos-Server
** When using DeepL or OpenAI services, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> containers to to the respective service
** When using OpenIDConnect authentication, a HTTPS connection (port <code>443</code>) is used from the <code>bluespice/wiki</code> "task" container to to the authentication provider
** When using "Let's Encrypt" Certbot, a HTTPS connection (port <code>443</code>) is used from the <code>acme-companion</code> container to the "Let's Encrypt" service

== Step 1: Get the stack ==
Load project <code>bluespice-deploy</code> from https://github.com/hallowelt/bluespice-deploy/releases/latest and enter the sub-directory <code>compose</code> for Docker Compose files.

For example, run:
<syntaxhighlight lang=sh>
wget https://github.com/hallowelt/bluespice-deploy/archive/refs/tags/5.2.1.zip \
&& unzip 5.2.1.zip \
&& cd bluespice-deploy-5.2.1/compose
</syntaxhighlight>

The directory contains the following files:
{| class="wikitable"
|+
! style="width:375px;" |Filename
! style="" |Type
! style="" |Comment
|-
| style="width:375px;" |<code>bluespice-deploy</code>
| style="" |shell script
| style="" |Start-up script, wrapping command <code>docker compose</code> and service <code>yml</code> files. Additional service <code>yml</code> files can be loaded by adding <code>-f <filename> </code>.
|-
| style="width:375px;" |<code>docker-compose.main.yml</code>
| style="" |yml
| style="" |Main containers of the wiki (<code>wiki-web</code> and <code>wiki-task</code>).
|-
| style="width:375px;" |<code>docker-compose.persistent-data-services.yml</code>
| style="" |yml
| style="" |Containers of database and search services, storing persistent data onto the file system. Optionally with external MySQL/MariaDB and OpenSearch one can skip loading this <code>.yml</code> in <code>bluespice-deploy</code>. Please then wire your services properly in the <code>.env</code> file.
|-
| style="width:375px;" |<code>docker-compose.stateless-services.yml</code>
| style="" |yml
| style="" |Containers for caching, PDF rendering, formula-rendering and diagram editing.
|-
| style="width:375px;" |<code>docker-compose.helper-service.yml</code>
| style="" |yml
| style="" |Helper containers for file system preparation and automated BlueSpice upgrade. These containers exit automatically after finishing tasks.
|-
| style="width:375px;" |<code>docker-compose.proxy.yml</code>
| style="" |yml
| style="" |Container of proxy service. Can be replaced by existing proxy/load-balancer infrastructure.
|-
| style="width:375px;" |<code>docker-compose.proxy-letsencrypt.yml</code>
| style="" |yml
| style="" |Additional service for auto-renewal of "Let's Encrypt" certificates. Only required when using the Let's Encrypt service and having no other TLS termination.
|-
| style="width:375px;" |<code>docker-compose.kerberos-proxy.yml</code>
| style="" |yml
| style="" |Additional proxy for Kerberos based authentication.
|-
| style="width:375px;" |<code>docker-compose.collabpads-service.yml</code>
|yml
|Containers of back-end services for [[Manual:Extension/CollabPads|CollabPads]] (included in Pro and Farm editions).
|-
| style="width:375px;" |<code>.env.sample</code>
| style="" |text
| style="" |Sample for creating <code>.env</code> that defines key environment variables.
|-
| style="width:375px;" |<code>bluespice.service.demo</code>
| style="" |service script
| style="" |Demo-file for control the BlueSpice stack as a <code>systemctl</code> service. One can create e.g a <code>/etc/systemd/system/bluespice.service</code>.
|}

== Step 2: Set up environment variables ==
Create your <code>.env</code> based on the sample file <code>.env.sample</code>.

Example:
<pre>
# set or use your data directory
DATADIR=/data/bluespice
VERSION=5.1.3
EDITION=free
BACKUP_HOUR=04

WIKI_NAME=BlueSpice
WIKI_LANG=en
WIKI_PASSWORDSENDER=no-reply@wiki.company.local
WIKI_EMERGENCYCONTACT=no-reply@wiki.company.local
WIKI_HOST=wiki.company.local
WIKI_PORT=443
WIKI_PROTOCOL=https
WIKI_BASE_PATH=

DB_USER=set_or_use_your_db_user_name
DB_PASS=SET_OR_USE_YOUR_DB_PASS_WORD
DB_ROOT_USER=root
DB_ROOT_PASS=$DB_PASS
DB_HOST=database
DB_NAME=bluespice
DB_PREFIX=

SMTP_HOST=mail.company.local
SMTP_PORT=25
SMTP_USER=...
SMTP_PASS=...
SMTP_ID_HOST=...

LETSENCRYPT=false
</pre>
{{Textbox|boxtype=note|header=Different editions|text=This config works for all editions, but the main image of Pro or Farm edition needs to be obtained differently, see [[{{FULLPAGENAME}}/Pro and Farm edition|Pro and Farm edition]]|icon=yes}}

== Step 3: Start the stack ==
Use <code>bluespice-deploy up -d</code> to start the stack. Once all containers are shown as "ready" you can navigate to <code>$WIKI_PROTOCOL://$WIKI_HOST:$WIKI_PORT</code> (e.g. <code><nowiki>https://wiki.company.local</nowiki></code>) in your preferred web browser and start using the application.

When starting the stack the first time, the <code>wiki-task</code> container will automatically perform the installation. It may take a couple of minutes for the process to set up the database and complete. Once it is finished, the password for the default <code>Admin</code> user can be found in <code>$DATADIR/wiki/initialAdminPassword</code>.

== Additional options ==

=== Add Customizations to containers ===
Starting with bluespice-deploy 5.1.4 and 5.2.0 Branches, we allow to edit and maintan a separate <code>docker-compose.override,yml</code> which will be ignored by git.

This way you can add your own Container-Configurations and be able to maintain your git status up to date. just place the file next to the other docker-compose.*.ymls and run ./bluespice-deploy up -d

Example:<syntaxhighlight lang="yaml">
services:
wiki-web:
volumes:
- /code/extensions/X:/app/bluespice/w/extensions/X
- /backup/:/data/backup
wiki-task:
volumes:
- /backup/:/data/backup
- /code/extensions/X:/app/bluespice/w/extensions/X
</syntaxhighlight>

=== Configs for <code>LocalSettings.php</code> ===
Instead of exposing the <code>LocalSettings.php</code> for [[mediawikiwiki:Manual:LocalSettings.php|adding additional configurations]], the stack offers two entry points. After the initial installation, you can add your configs to two files in <code>${DATADIR}/wiki/bluespice/</code>:

* <code>pre-init-settings.php</code> - Set configs before the initialization of BlueSpice's debug logging, libraries, skins, extensions and default settings. Configs set here can be picked up by the init process.
* <code>post-init-settings.php</code> - Set configs after the initialization, manipulating configs that have been set by the init process.
For example, if you add the following lines to <code>pre-init-settings.php</code>, you can then read outputted debug logs (if any) in <code>${DATADIR}/wiki/bluespice/logs/debug.log</code>:<syntaxhighlight lang="php">
$GLOBALS['bsgDebugLogGroups']['exception'] = "/data/bluespice/logs/debug.log";
$wgShowExceptionDetails = true;
</syntaxhighlight>

=== Maintenance scripts ===
To run [[Setup:Installation Guide/Advanced/Maintenance scripts|maintenance scripts]] from MediaWiki or from other extensions, please use the <code>wiki-task</code> container, which handles all back-end jobs and processes. You can connect into the container in two different ways:

* run <code>./bluespice-deploy exec -it wiki-task bash</code> in the <code>compose</code> directory for Docker Compose files
* or alternatively, run <code>docker exec -it bluespice-wiki-task bash</code> wherever you are on the host machine

Inside the container you can enter the wiki's code base with <code>cd /app/bluespice/w</code> , where one can run scripts like <code>php maintenance/run.php update --quick</code>, <code>php extensions/BlueSpiceExtendedSearch/maintenance/updateWikiPageIndex.php</code> and so on.

=== SSL certificates ===
To use a Let's Encrypt certificate for your domain name, set <code>LETSENCRYPT=true</code> in your <code>.env</code> file.

To use a self-signend certificate for your domain name, put its <code>.crt</code> and <code>.key</code> files in <code>${DATADIR}/proxy/certs</code>. For example, with <code>wiki.company.local</code> you should prepare <code>wiki.company.local.crt</code> and <code>wiki.company.local.key</code> files.

=== Kerberos proxy ===
For implicit authentication using Kerberos, an additional proxy must be used: <code>bluespice/kerberos-proxy</code> . The file <code>docker-compose.kerberos-proxy.yml</code> contains a common configuration. It can be used '''instead of''' the regular <code>docker-compose.proxy.yml</code> file inside <code>bluespice-deploy</code> .

Make sure to have the files

* <code>${DATADIR}/kerberos/krb5.conf</code>
* <code>${DATADIR}/kerberos/kerberos.keytab</code>

set up properly.

The file <code>${DATADIR}/wiki/bluespice/pre-init-settings.php</code> can then be used to set up [[mediawikiwiki:LDAP_hub|"Extension:Auth_remoteuser" and the LDAP stack extensions]].

=== SAML authentication ===
During the initial installation a certificate for message signing will automatically be created. It can be found in <code>${DATADIR}/wiki/simplesamlphp/certs/</code>.

In order to configure a remote IdP, one must copy the IdP metadata XML to a file called <code>${DATADIR}/wiki/simplesamlphp/saml_idp_metadata.xml</code>. The SP metadata can then be obtained via <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/saml/sp/metadata.php/default-sp</nowiki></code>. It must be configured in the remote IdP.

{{Textbox
|boxtype=tip
|header=Test authentication
|text= You can test authentication directly within the SimpleSAMLphp application. To do so, navigate to <code><nowiki>https://{{$WIKI_HOST}}/_sp/module.php/admin</nowiki></code> and log in with <code>admin</code> and the <code>INTERNAL_SIMPLESAMLPHP_ADMIN_PASS</code> found in <code>${DATADIR}/wiki/.wikienv</code>
|icon=yes
}}

Next, the extensions "PluggableAuth" and "SimpleSAMLphp" must be enabled on the wiki. To do so, add

<syntaxhighlight lang="php">
wfLoadExtensions( [
'PluggableAuth',
'SimpleSAMLphp'
] );
</syntaxhighlight>[[File:Setup:SAML ConfigManager EN 01.png|thumb|300x300px]]to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".

=== OpenID Connect authentication ===

The extensions "PluggableAuth" and "OpenIDConnect" must be enabled on the wiki. To do so, add<syntaxhighlight lang="php">
wfLoadExtensions( [
'PluggableAuth',
'OpenIDConnect'
] );
</syntaxhighlight>to the <code>${DATADIR}/wiki/bluespice/post-init-settings.php</code>. Run

./bluespice-deploy exec wiki-task /app/bluespice/w/maintenance/update.php --quick

to complete the installation.

After that, the authentication plugin configuration can be applied in [[Manual:Extension/BlueSpiceConfigManager|Special:BlueSpiceConfigManager]] under "Authentication".

[[de:Setup:Installationsanleitung/Docker]]

Security:Security Advisories

2025-12-08T15:43:40Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
!Severity
|-
|[[Security:Security Advisories/BSSA-2025-06|BSSA-2025-06]]
|2025-10-28
|Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution
|[https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171], [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277], [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965], [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173], [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175],
[https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625],
[https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370],
[https://www.cve.org/CVERecord?id=CVE-2025-54874 CVE-2025-54874],
[https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839],
[https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634],
[https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635],
[https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636],
[https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637],
[https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638],
[https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639],
[https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640],
[https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641],
[https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642],
[https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643],
[https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646],
[https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652],
[https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657],
[https://www.cve.org/CVERecord?id=CVE-2025-7458 CVE-2025-7458]
|Denial Of Service,
Cross-Site Scripting (XSS),
Information Disclosure,
Bypass authn at content check,
Server-side Request Forgery,
Arbitrary Code Execution,
Memory Corruption,
Use-After-Free,
Arbitrary SQL Execution
| style="" class="col-red-bg" |High
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
| style="" class="col-green-bg" |Low
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure,
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
|[[Security:Security Advisories/BSSA-2023-02|BSSA-2023-02]]
|2023-10-30
|Security vulnerabilities in Extension:BlueSpiceAvatars
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|Allows Cross-Site Scripting (XSS)
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
| style="" class="col-orange-bg" |Medium
|}

Security:Security Advisories/BSSA-2025-04

2025-12-08T15:42:09Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-18
|-
|Severity
|reported "critical", BlueSpice assessment: '''low'''
|-
|Affected
| Services in current LTS version 5.1
|-
|Fixed in
|fix not yet available
|-
|CVE
| [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|}

==Problem==

* Service <code>bluespice/search</code>- [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988]
* Service <code>bluespice/formula</code> - [https://avd.aquasec.com/nvd/2025/cve-2025-7783/ CVE-2025-7783/]
* Service <code>bluespice/wiki</code>
** PCRE: [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050]
** libxml: [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794] and [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]

==Impact assessment==

* Service <code>bluespice/search</code>
** The issues has already been fixed in the upstream repository, but there was no official release yet
** A manipulated PDF file needs to be uploaded to the wiki, which usually requires an authenticated user context. The service runs only in the background and can not be accessed from outside the virtual network. It has limited access to the host system.
* Service <code>bluespice/formula</code>
** Caused by a dependency of [https://www.npmjs.com/package/coveralls coveralls]
** Not used production code
* Service <code>bluespice/wiki</code>
** No direct usage of those libraries
** Only accessed via PHP
** Main impacts are potential information disclose and denial-of-service
*** No critical information can be disclosed

== Solution ==
To mitigate <code>CVE-2025-54988</code> one can make sure the service has no access to the internet.

Besides this, there is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.

MediaWiki:Common.css

2025-11-19T10:19:58Z

Rvogel1:

/* Das folgende CSS wird für alle Benutzeroberflächen geladen. */
/*WCAG 1.4.3 discernable links*/
.mw-body-content a:not([class*='oo-ui-']), [class^='mw-content-'] a:not([class*='oo-ui-']) {text-decoration:underline dotted; text-underline-offset:4px;text-decoration-thickness: 1px; text-decoration-color:grey}
/* BS5 */
/*Softwarekatalog*/
table.casablanca.swc tbody tr, table.casablanca.swc th {
color:#333
}
table.casablanca.swc thead tr, table.casablanca tbody th.swc {
background:#e9e9ee
}
a.pdfcreator-export {
background: #efefef;
padding: 10px;
border-radius: 6px;
float: right;
font-weight: bold;
}

a.pdfcreator-export:before {
font-family: 'bootstrap-icons';
content: '\F1B9';
vertical-align: -0.3em;
padding-right: 0.5em;
}
/*move hf-footer closer to the bottom of the page by adjusting necessary margins */
#main {padding-bottom:1em;}
/*ordered lists */
article ol ol {list-style-type: lower-alpha;}
.hf-nsfooter {margin-top:3em;}
.thumbborder {border:1px solid #d3d5da}

/*TOC
#content .toc {width:100%; background:#f1f3f9; font-size:1em}
#content .toc li {padding:3px;}
#content .toc li:hover {background:white; outline-bottom:1px solid #f1f3f9; }
#content .toctitle {text-align:left; border-bottom:2px solid #fff; padding:2px}
*/
/*external Video thumbs*/
.youtubelink div.thumbinner {
border: 1px solid #d5d5d5;
background-color: #f1f3f9;
border-radius:8px;
-webkit-box-shadow: 3px 3px 3px 0px rgba(207,207,207,1);
-moz-box-shadow: 3px 3px 3px 0px rgba(207,207,207,1);
box-shadow: 3px 3px 3px 0px rgba(207,207,207,1);}
.youtubelink .thumbcaption {font-weight:bold; margin-top:8px}
.youtubelink a.external {padding-top: 2px;
display: inline-block;}

a.external, .link-mailto, .link-ftp, .link-irc, .link-audio, .link-video, .link-document {
padding-right: 13px!important}

figcaption a {
padding-left: 0!important;}
/*Standard content table bg color */
table.contenttable thead tr, table.contenttable th {background-color: #e9e9ee; vertical-align:top}
table.contenttable td {vertical-align:top}

/*pdf noexport without highlighting*/
.bs-universalexport-exportexclude {
background-color:transparent;
border:none;
}

/*Discussions and attachments currently not in use in the helpdesk, therfore hiding for no */
.icon-bluespice-logo:before {
font-family: 'icomoon' !important;
content: "\e910";
}

/*hide spans from templates in TOC text
.toctext span {display:none!important}*/

/* bootstrap icons in blue and big */
.bi-big, .fa-big { font-size: 2rem;
color: #2b80ea;

}

/*images in a list*/
#content li figure, #content li .floatnone, #content li img:first-child, #content li .thumb, content li .thumb img:first-child
{
margin-top:1.5em; margin-bottom:1.5em;
}
#content li.ve-ce-branchNode .thumb img:first-child, #content li.ve-ce-branchNode figure img:first-child, #content li.ve-ce-branchNode img.ve-ce-chimera {
margin-top:0;
}
#content li .thumb {
margin-bottom:0
}

#data-after-content {display: none;}
.wikitable > tr > th, .wikitable > tr > td, .wikitable > * > tr > th, .wikitable > * > tr > td {padding: 0.8em 0.4em;}

span.newicon {
vertical-align: super;
background: #64b334;
margin-left: 3px;
font-size: 0.8em;
padding: 1px 4px 2px 4px;
border-radius: 50%;
color: #ffffff;
}

.flexbox{display:flex;flex-direction:row;flex-wrap:wrap;justify-content:flex-start;align-items:stretch;align-content:stretch;}
.flexbox div{margin:5px;padding:2px 8px;text-align:center;background:#ececec}
.center > div.thumb {margin-top:2em}
#content .toctitle h2 {margin-right: 1em; display: inline;font-size: 1.4rem;}
.qtip {font-size: 1em;line-height: 1.4em;}

/*Related links */
h2#relatedinfo
{border-left: solid 4px #d8d8d9;
background:#f1f3f9;
color: #868585;
margin-top: 3rem;
margin-bottom:0 !important;
padding: 20px 10px 2px 30px;
}
.relatedtopics {
display:flex;
flex-wrap: wrap;
border-left: solid 4px #d8d8d9;
background:#f1f3f9;
padding: 2em !important;
margin:0 !important;
}
.relatedtopics .col{flex-basis: 50%; flex-grow: 1; flex-shrink: 1;}

/*Themen*/
.flexbox.themenhd div {background:#fff; border:1px solid #d8d8d9; padding:10px 20px; flex-basis:24%; text-align:left}
.flexbox.themenhd div [class*=" bi-"]::before {font-size: 1.6em; vertical-align: middle;background-color: #fff; padding: 6px; border-radius: 50%;}
.flexbox.themenhd div [class*=" bi-"]::before {font-size:2em; vertical-align:middle; background-color:#f1f3f9; padding: 10px; }
.themenhd div a {display:block}
.themenhd div:hover {background:rgb(233,233,238,0.5)}
ul.smw-format.ul-format.alltopics-col {column-count: 3;}

/*Tours */
.nextstep {display: inline-block;padding: 6px;background: #36c;border-radius: 2px;color: #ffffff;font-weight: bold;}
#mw-content-text .nextstep a:not(.new), [class^="mw-content-"] .nextstep a:not(.new), #mw-content-text .nextstep a:link:not(.new), [class^="mw-content-"] .nextstep a:link:not(.new) {
color: #ffffff; font-weight: bold;}
#mw-content-text .nextstep a:not(.new):hover, #mw-content-text .nextstep a:link:not(.new):hover, [class^="mw-content-"] .nextstep a:link:not(.new):hover {
color: #efefef;}
.nextstep a:not(.new)::after, .nextstep a:link:not(.new)::after {content: " \25B6";}

/*Main page*/
.flexbox-portal div > h2 span::before {vertical-align: text-bottom; size:1.1em;}
.mw-parser-output .flexbox-portal.col3 > div:nth-child(3n) {margin-right:0 !important}
#maintopics ul {list-style: none!important;}
#maintopics li {padding-bottom:0.6em!important;margin-left: 12px!important;}
#mpbanner {margin-top:-55px; background:#fff url(/w/nsfr_img_auth.php/f/fa/BlueSpice-Demo_Header.jpg) -90px no-repeat; background-size: 1000px 122px;}
h1#mpbanner-byline {font-size:1.8em; color:#3e5389;line-height: 1em; padding-top: 20px;}
#mpbanner-title {font-size:3.4rem; color:#3e5389; line-height:1.2em; font-weight: 900;letter-spacing: 1px; display:block}
#maintopics h2 span::before {vertical-align: text-bottom;padding-bottom: 2px;}

/** Template downloads **/
.cards {display:flex; flex-wrap:wrap; justify-content: space-between; gap:20px}
.cards > div {margin-left:5px; margin-right:5px; flex-basis:290px; margin-bottom:50px; border-top: 1px solid #f0f0f0; box-shadow: 0 1px 3px rgba(0,0,0,.12),0 1px 2px rgba(0,0,0,.24);
transition: all .3s cubic-bezier(.25,.8,.25,1); cursor: pointer; text-align:center}
.cards > div:hover {
box-shadow: 0 6px 8px rgba(0,0,0,.10),0 10px 10px rgba(0,0,0,.10);
}
.cards a.image img {max-width:600px}
.cards .screenshot {width:300px;height:200px; overflow:hidden; border-top:14px solid #eee; border-bottom:14px solid #eee}
#content #bodyContent .cards h2 {margin:10px; padding:0; font-size:1.1rem; font-color:#444; border:none; text-align:center}
.cards h2 .mw-editsection {display:none}
.cards .text {font-size:0.85rem; padding:20px 10px; text-align:center; font-weight:bold;}
#mw-content-text text a:not(.new), [class^="mw-content-"] .text a:not(.new), #mw-content-text .text a:link:not(.new), [class^="mw-content-"] .text a:link:not(.new), #mw-content-text .text a:not(.new):visited, [class^="mw-content-"] .text a:not(.new):visited, #mw-content-text .text a:link:not(.new):visited, [class^="mw-content-"] .text a:link:not(.new):visited
{color:#444;}
.cards .emptycard, .cards > div.emptycard:hover
{border: 0;
box-shadow: none;}
@media only screen and (max-width: 768px)
{.cards > div {flex-basis:98%; }
.cards .screenshot {width:auto; text-align:center}

}
.getButton {
display: inline-block;
background-color: #4CAF50;
border: none;
color: white;
padding: 8px 20px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 0 0 10px 0;
-webkit-transition-duration: 0.4s;
transition-duration: 0.4s;
border-radius: 8px;}

#mw-content-text .getButton a
{color:#ffffff!important;}
.getButton:hover {
box-shadow: 0 12px 16px 0 rgba(0,0,0,0.24),0 17px 50px 0 rgba(0,0,0,0.19);
color:'f5f5f5';
}
.getButton:active {
position:relative;
top:1px;
}
.getButton a:before {font-family: 'fontawesome';
content: '\f019 ';
font-size: 1.3em;
vertical-align: middle;
margin-right: 10px;
}

.cart a:before {font-family: 'fontawesome';
content: '\f217 ';
}

.downloadarea {
text-align:center;
display: inline-block;
float: right;
margin: 0 0 20px 40px;
padding: 10px;
background: #efefef;
background: linear-gradient(270deg, rgb(240, 240, 240) 0%, rgb(224, 224, 224) 52%, rgb(240, 240, 240) 100%);
}
.downloadarea p {margin:0}
@media only screen and (max-width: 768px)
{.cards > div {flex-basis:98%; }
}
.oo-ui-panelLayout-framed {border: 0;}
.oo-ui-tabSelectWidget-framed {border-bottom: 1px solid #d3d5da;}

/*HP Aktuelles */
#aktuelles {background: rgba(201, 224, 143, .3); padding:10px; margin:20px 0}
#aktuelles h2::before {font-family:'fontawesome'; font-size:0.8em; content:'\f02e'; color: #64b334; margin-right:10px}
#aktuelles h2 {margin: 8px 0 8px 24px; color: #454545; font-size: 1.4em; border-bottom: none; }
#aktuelles table {margin: 0 8px 15px 37px}
#aktuelles td {padding:3px 10px}

table.padded td, table.padded th {padding:8px}

/*Fixed table header */

.scrolltable table.jquery-tablesorter th.headerSort {background-position: 20px 112px;}

.table-scroll{
/*width:100%; */
display: block;
empty-cells: show;

/* Decoration */
border-spacing: 0;
border: 1px solid;
}

.table-scroll thead{
background-color: #f1f1f1;
position:relative;
display: block;
width:100%;
overflow-y: scroll;
}

.table-scroll tbody{
/* Position */
display: block; position:relative;
width:100%; overflow-y:scroll;
/* Decoration */
border-top: 1px solid rgba(0,0,0,0.2);
max-height: 50vh;
}

.table-scroll tr{
width: 100%;
display:flex;
}
.table-scroll th{
writing-mode:vertical-lr;
font-weight:normal;
}
.table-scroll td,.table-scroll th{
flex-grow: 2;
display: block;
padding: 5px;
text-align: right;
border-right: 1px solid #ccc;
width:60px
}
.table-scroll td {text-align: center;}
.table-scroll th {text-align: right;}
/* Other options */

.table-scroll td:first-child,
.table-scroll th:first-child{
flex-basis:200px;
flex-grow:0;
text-align:left;
writing-mode: unset;
}
.widefirst td:first-child,.widefirst th:first-child{ flex-basis:500px;}

.table-scroll tbody tr:nth-child(2n){
background-color: rgba(130,130,170,0.1);
}

/*Feature-Boxen auf HP */
.sectionflex .featurebox {padding:0!important}
#mw-content-text .sectionflex .featurebox h2 {border:0; margin-bottom:0!important}
.featurebox a {color:#444 !important;display:block; padding:4px}
.featurebox a:hover {text-decoration:none !important}
.featurebox:focus, .featurebox:hover {background:#fafafa; border: 1px solid #d4d4da!important}
#bodyContent .featurebox .sectionanchors-button {display:none !important}
.featurebox span[class*=fas] {margin-bottom:0.5em}
.featurebox .mw-headline-number {display:none}

/*Quiz*/
.quiz .question{margin-bottom:3em;}
.questionText{font-weight:700;margin-bottom:1.2em;}
.question .header{background:#fff0e1;padding:1px 6px;}
span.questionText{display:block;}
.question td{background:#f6f6f6;border-bottom:2px solid #fff;padding:8px 6px 6px;}
.question th{background:#f6f6f6;border-bottom:2px solid #fff;padding:8px 6px 6px;}
.quiz table{width:100%;}
.quizQuestions .question .sign{width:26px;}
.quiz table.settings{margin-left:30px!important;}
.mw-content-ltr .quiz .question .border{border-width:0 0 0 12px !important;}
.quiz .margin.right{background-color:#8ed27d!important;}
.quiz .margin.NA{background-color:#337ecc!important;}
.quiz .margin.wrong{background-color:#ff5c64!important;}
.quiz .question .border.right{border-color:#8ed27d!important;}
.quiz .question .border.NA{border-color:#337ecc!important;}
.quiz .question .border.wrong{border-color:#ff5c64!important;}
.quiz .question .check.right{outline:3px solid #8ed27d!important;}
.quiz .question .check.NA{outline:3px solid #337ecc!important;}
.quiz .question .check.wrong{outline:3px solid #ff5c64!important;}
.quizForm input[value="Submit"]{background:#36c;border:none;color:#FFF;margin-right:10px;margin-left:30px;padding:6px 12px;}
.quizForm input:hover[value="Submit"]{background:#2551aa;}
.quizForm input[value="Reset"]{background:#a4a4a4;border:none;color:#FFF;margin-right:10px;padding:6px 12px;}
.quizForm input:hover[value="Reset"]{background:#858585;}
.quiz .correction{background-color:#ffe4c9;display:block;font-weight:700;margin:10px 0 30px 28px;padding:20px;}

.bi {
display: inline-block;
vertical-align: -0.125em;
}
/* Styles for section cards */
.sectionflex {display: flex; flex-wrap: wrap; justify-content:space-between; gap:20px}
.sectionflex.col1 > div {flex-basis:100%; padding:10px 20px; }
.sectionflex.col2 > div {flex-basis:48%; padding:10px 20px; }
.sectionflex.col3 > div {flex-basis:32%; padding:10px 20px;}
.sectionflex.col4 > div {flex-basis:23%; padding:10px 20px;}
.sectionflex > div.empty {border:none; background:none}
#mw-content-text .sectionflex > div h2 {margin:0 0 1em 0; font-size:1.3em}
#mw-content-text .sectionflex > div h3 {margin:0 0 1em; font-size:1.2em}
.sectionflex.frame > div {border: 1px solid #e7e7e7}
.sectionflex.background> div {background: #f1f3f9}
.sectionflex .ve-ce-branchNode-slug, .sectionflex span.mw-editsection {display:none}
.sectionflex.linked a {display:block}
.sectionflex.centered > div {text-align:center;}

/*Feature-Box auf HP*/
.sectionflex .featurebox {padding:0!important}
#mw-content-text .sectionflex .featurebox h2 {border:0; margin-bottom:0!important}
.featurebox a {color:#444 !important;display:block; padding:4px}
.featurebox a:hover {text-decoration:none !important}
.featurebox:focus, .featurebox:hover {background:#fafafa; border: 1px solid #d4d4da!important}
#bodyContent .featurebox .sectionanchors-button {display:none !important}
.featurebox span[class*=fas] {margin-bottom:0.5em}

/*Themen*/
.sectionflex.themenhd div [class*=" bi-"]::before {font-size: 1.6em; vertical-align: middle; padding: 6px; border-radius: 50%;}
.sectionflex.themenhd div [class*=" bi-"]::before {font-size:2em; vertical-align:middle; background-color:#f1f3f9; padding: 10px; }
.sectionflex.themenhd.background div [class*=" bi-"]::before {font-size:2em; vertical-align:middle; background-color:#fff; padding: 10px; }
.themenhd div a {display:block}
.themenhd div:hover {background:rgb(233,233,238,0.5)}
ul.smw-format.ul-format.alltopics-col {column-count: 3;}
@media (max-width: 767px) {.sectionflex.col2 > div, .sectionflex.col3 > div {flex-basis:100%; margin-top:2em}}

/*Präsentationen*/
* {
-webkit-print-color-adjust: exact !important; /* Chrome, Safari */
color-adjust: exact !important; /*Firefox*/
}

.bs-data-after-content, .mw-lingo-tooltip {display:none}
.slideNav {font-size:1rem}
.slideNext::after {font-family:"fontawesome"; content:"\f061"; color:blue; margin-left: 5px;}
.slidePrevious::before {font-family:"fontawesome"; content:"\f060"; color:blue; margin-right:5px;}
.slideHd h1 {border-bottom: 1px solid #e5e5e5;}
.main-footer {display:none;}
.slideBoxes {
display: flex;
flex-direction: row;
flex-wrap: wrap;
justify-content: center;
align-items: stretch;
}
.slideBoxes > div {
width: 45%;
color: #242424;
background-color: #f2f2f2;
border-radius: 20px;
padding: 4px 30px;
margin: 15px;
justify-content:center;
}
.slideBoxes > div.empty {background:none;}
.slideBoxes.hdOnly > div.haslink {transition: all .3s cubic-bezier(.25,.8,.25,1); cursor: pointer;}
.slideBoxes.hdOnly > div.haslink:hover {box-shadow: 0 14px 28px rgba(0,0,0,.25),0 10px 10px rgba(0,0,0,.22);}
.slideBoxes.hdOnly > div {padding:10px;}
.slideBoxes.col3 > div {width:30%;}
.slideBoxes.col1 > div {width:90%;}
#content #bodyContent .slideBoxes h2 {
font-size:1.375rem;
border-bottom: 0px;
padding-bottom: 0;
margin-top: 10px;
margin-bottom: 0px;
font-weight:bold;
color: #242424;
position:relative;
}
#content #bodyContent #mw-content-text .slideBoxes h2 {padding-left:68px; display:block; min-height:2em;}
#content #bodyContent #mw-content-text .slideBoxes.noicon h2 {padding-left:0;}
#content #bodyContent #mw-content-text .slideBoxes h2 a {color: #242424 !important;}

#content #bodyContent .slideBoxes p {
margin-top:0.5em;
font-size:1.2em;
}
.slideBoxes .fas,.slideBoxes .fab, .slideBoxes .fa {
margin-right: 20px;
vertical-align: sub;
font-size:1.7em;
margin-left:-56px;
}
.slidetext, .slidetext p, .slidetext div, .slidetext h3 {font-size:1.3rem;}
#slidecollection {width:100%;}
#slidecollection .slideNav {display:none;}
#slidecollection .slide {padding-top:30px;
background:url('https://de.wiki.bluespice.com/w/nsfr_img_auth.php/6/60/BlueSpice_Logo_v2020-steel-150.png')top right no-repeat !important;
background-size:50px;}

.collapsers h2 {background:#e7e7e7; border:0; padding:10px; color:#333}

/*Referenz Seiten */
.extension-infobox {width:25em;font-size:90%;background-color:#f1f3f9;color:black;margin-bottom:0.5em;margin-left:1em;padding:0.2em;float:right;clear:right;text-align:left;}
.extension-infobox-header{text-align:center;background-color:#2e6096;padding:8px; color:#ffffff;}
.extension-infobox-headertext{font-size:larger;color:#FFFFFF;}
.extension-infobox-description{font-weight:normal!important;text-align:left;background-color:#f1f3f9;padding:20px 10px 20px 10px!important;}
.extension-infobox-first-row{vertical-align:top;padding:20px 10px 0 10px;}
.extension-infobox-row{vertical-align:top;padding:0 10px;}
.extension-infobox-last-row{vertical-align:top;padding:0 10px 20px 10px;}
.extension-infobox-helppage{font-weight:normal;text-align:center;vertical-align:top;padding-left:10px;padding-top:10px;padding-bottom:10px;background-color:#eeeeee;}
.extension-infobox.fullwidth {width:100%; float:none; font-size:1em; margin-left:0;}
.extension-infobox.fullwidth th {text-align:right; }
.extension-infobox-header, .extension-infobox-helppage {text-align:center !important; font-size:1.1em}
.extension-infobox.fullwidth th, .extension-infobox.fullwidth td {padding:8px;width:100px; border: 1px solid #ffffff;}
.extension-infobox.fullwidth td {width:300px; }
.extension-infobox-helppage { background-color: #eaecf0;}
#content #bodyContent #importdata h3 {margin:1em 0 1.4em;}
#importdata .flexbox {justify-content: space-between; margin-top: 2em;}
#mw-content-text #importdata .flexbox h3, [class^="mw-content-"] #importdata .flexbox h3 {background:#d8d8d9; margin:0 0 12px 0; padding:8px; font-size:1em !important; font-weight:bold}
#importdata .mw li {margin-left:0;list-style-type:none; padding-left:30px; background: no-repeat left 1px top 3px / 18px url('/w/nsfr_img_auth.php/c/c6/MediaWiki-2020-small-icon.svg');}
#importdata .bs li {margin-left:0;list-style-type:none; padding-left:30px; background: no-repeat left 2px top 4px / 15px url('/w/nsfr_img_auth.php/c/c4/Bluespice_Icon.svg');}
#importdata .flexbox div {background:#f1f3f9; text-align:left; margin:0; flex-basis:33%; padding:0}
#importdata table.wikitable > tr > th, #importdata table.wikitable > * > tr > th, table.wikitable.reference > tr > th, .importdata .wikitable.reference > * > tr > th {background-color: #eaecf0;text-align: left;padding:8px; border: 1px solid #ffffff}
#importdata table.wikitable > tr > td, #importdata table.wikitable > * > tr > td, #importdata table.wikitable.reference > tr > td, #importdata table.wikitable.reference > * > tr > td {padding:8px; border: 1px solid #ffffff;}
#importdata div .inner {padding:8px 12px}
#importdata .bs p {font-size: 0.9rem; margin-left: 2.1em; display:list-item;}

/*404 system message badaccess-groups*/
#system404-error {text-align:center;}
#system404-error div.floatnone a.image img {padding:0; margin:0;}
#system404-error hr {
margin-top: 0px;
margin-bottom: 2rem;
border: 0;
max-width: 600px;
border-top: 3px dotted #ddd;
}

#content .toc li {margin-bottom: 0.1em;}

/* Icon in boxes on reference pages */
.questionmark-icon::before {
content: '\f059';
font-family: 'fontawesome';
color:#6f6969;
vertical-align: -0.1em;
}

/*Quick Search */
#bs-extendedsearch-box .bs-extendedsearch-autocomplete-popup {overflow-y:scroll; max-height:750px}

.bs-extendedsearch-autocomplete-popup .bs-extendedsearch-autocomplete-popup-item {background:#f1f3f9; margin:0 10px 6px 0; border-radius:4px;}
#bs-extendedsearch-box .bs-extendedsearch-autocomplete-popup .bs-extendedsearch-autocomplete-popup-primary .bs-extendedsearch-autocomplete-popup-primary-item:hover {background:#fff}
.oo-ui-icon-articleRedirect {background-size:80%}
.bs-extendedsearch-autocomplete-popup-item-header-redirect a {
width: 85%!important;
font-size: 0.9em
}

/*Accessibility form*/
div[data-form="Pagedraft:AccessibilityReport"] .oo-ui-fieldLayout-body > .oo-ui-fieldLayout-header {width:12em !important; text-align:right; padding-right:0 !important; border-bottom:1px solid #d0cece}

div[data-form="Pagedraft:AccessibilityReport"] .oo-ui-fieldLayout-body > .oo-ui-fieldLayout-field {width:40em !important}

/*popImg template */

.tippy-content-container .thumbinner a > img {width: 100%;}

/*Number footnotes separately */
#mw-content-text .references ::marker {
content: " ";
}
#mw-content-text ol.references {
counter-reset:ref; list-style-type:none;
}
#mw-content-text ol.references li:before{
counter-increment:ref;
content:counter(ref) ". ";
float: left;
margin-right: 1em;
}
#mw-content-text ol > li li {
margin-left:-0.3em;
}

.tabs
{

list-style-type: none;
margin:0!important;
border-bottom: 1px solid #e9e9ee;
}

.tabs li
{ display: inline-block;
font-size: 1em;
font-weight: bold;
padding: 11px 20px;
border-radius:4px 4px 0 0;
border: 1px solid #e9e9ee;
border-bottom:0;
margin:0

}

.tabs li:hover {background: #f2f3f9;}

.tabs li.current {background: #f2f3f9; border:none; padding: 10px 20px; }
.cards.startpages {gap:28px}
.cards.startpages div {width:350px;}
.cards.startpages .screenshot {width:100%; height:420px}

/*page forms*/
#pfForm .createboxInput,#pfForm input {width:auto;}

/*Quick Search */

.bs-extendedsearch-autocomplete-popup.compact .bs-extendedsearch-autocomplete-popup-primary {
font-size: 1em;
width: 100%;
padding-bottom: 5px;
text-align:left;
overflow: hidden;
border-bottom:10px solid #f1f3f9; border-top:0
}
/*.bs-extendedsearch-autocomplete-popup.compact .bs-extendedsearch-autocomplete-popup-primary .bs-extendedsearch-autocomplete-popup-primary-item {
padding: 6px;
height: fit-content;
max-height: unset!important;
background:#f1f3f9;
margin:3px;
}*/
#bs-extendedsearch-box .bs-extendedsearch-autocomplete-popup .bs-extendedsearch-autocomplete-popup-primary .bs-extendedsearch-autocomplete-popup-primary-item .bs-extendedsearch-autocomplete-popup-primary-item-header {
width: 100%;
color:#444;
font-size:1.1em;
}
.bs-extendedsearch-result-original-title {
font-size:0.85em
}

/*temporary language switcher*/
.ddlistwrapper {display:inline-block; padding:8px 10px 4px 10px!important; text-align:right; background:#f1f3f9; vertical-align:middle; float:right}
.ddlist .dropdown-menu {left: 2px!important;}

/*table type Content*/
table.contenttable thead tr, table.contenttable th {
background-color: #f1f3f9;
border: 1px solid #d3d5da;
font-weight:400;
}

/*Glossar als Tabelle formatieren */

#glossar h2 {font-size:1.4em; margin:0}
#glossar dl {
border: 1px solid #d8d8d9;
display: grid;
grid-template-columns: 200px 1fr;
}

#glossar dt,
#glossar dd {
border-bottom: 1px solid #aeaeae;
padding: 8px;
margin:0;
}

#glossar dt:last-of-type,
#glossar dd:last-of-type {
border-bottom: none;
}

#glossar dt{
font-weight: bold;
}

#glossar dd {
border-left: 1px solid #aeaeae;
margin-left: 0;
}

/* TOC auf der Glossar-Seite als Sprunglinks anzeigen.*/

.page-Glossar .tocnumber {display:none} /*hide numbering if set*/
.page-Glossar .toctext {padding-left:10px;} /*adds left-padding if no numbers are shown*/
.page-Glossar .toctitle {display:none} /*hide title if set*/
.page-Glossar #toc {background:#efefef}
.page-Glossar ul > li.toclevel-1 {display:inline-block}
.page-Glossar ul ul {display:none}
.page-Glossar ul > li.toclevel-1:after {content:'|'; padding-left:10px}
.page-Glossar ul > li.toclevel-1:last-child:after {content:''; padding-left:10px}
.page-Glossar .toc {width:100%;}

.bs-extendedsearch-result-container.redirect {
display: none;
}

#content .toc {margin-top:1em}
#mw-content-text li {margin-top:0.6em; margin-bottom:1em}
#content .toc {margin-top:1em}
#content .toc li {margin-top:0.2em; margin-bottom:0.4em}

/*Hompeage BS5*/
.mpbs5 #mpbanner-title {color:#4b80eb}
.mpbs5 h1#mpbanner-byline {color:#555}
.mpbs5 #mpbsv {color:#4666cd}
.mpbs5 #aktuelles {background: #5d80ec1a}
.mpbs5 #aktuelles h2::before {color: #445389;}
#startpage.mpbs5 .sectionflexcontainer>div h2 {padding:20px 15px 5px 15px}
.mpbs5 .section-featured h2 {font-size:1.2em; margin:0 0 1em 0;border-bottom:none;color:#555}

.mpbs5 .sectionflexcontainer .bi::before {margin-right:10px;}
.mpbs5 .sectionflexcontainer > div {padding:0!important}
.mpbs5 .sectionflexcontainer .content {padding:20px}
.mpbs5 .bghp {display:block;height:150px; padding:0; margin:0;}

.mpbs5 #bg-admins {background:url('/w/nsfr_img_auth.php/8/84/pexels-yankrukov-7693107.jpg') no-repeat; background-size:cover}
.mpbs5 #bg-users {background:url('/w/nsfr_img_auth.php/c/cf/pexels-canvastudio-3277806.jpg') no-repeat; background-size:cover}
.mpbs5 #bg-topics {background:url('/w/nsfr_img_auth.php/9/93/BlueSpice-MediaWiki_Solutions_Losungen.jpg') no-repeat; background-size:cover}
.mpbs5 #bg-setup {background:url('/w/nsfr_img_auth.php/b/b4/pexels-djordje-petrovic-590080-2102416.jpg') no-repeat; background-size:cover}

/*Featurebox */
.sectionflexcontainer > div.featurebox h2 { font-size: 1.2em; border-bottom: none; margin: 0;}
.mpbs5 .featurebox {border-radius:8px; box-shadow: 0px 5px 12px -3px rgba(0,0,0,0.1); padding:0}

#startpage.mpbs5 .sectionflexcontainer > div.featurebox h3 {padding:0; margin:0; font-size:1.1em}
#startpage.mpbs5 .sectionflexcontainer .featurebox {padding:10px 10px 10px 50px!important; position:relative}
.mpbs5 .featurebox:hover {border
:1px solid #747474!important}

.mpbs5 .featurebox.icon:before {Font-family:'fontawesome', 'bootstrap-icons';position:absolute; left:10px;top:20%; font-size:2.2em; color:#979797}

.mpbs5 #bg-pagelinks:before {content:'\f0c1';}
.mpbs5 #bg-translation:before {content:'\f0ac';}
.mpbs5 #bg-bpmn:before {content:'\f0e8';}
.mpbs5 #bg-pdfexport:before {content:'\f1c1';}
.mpbs5 #bg-ai:before {content:'\f6b1'; font-size:2.4em}
.mpbs5 #bg-blog:before {content:'\f075';}
.mpbs5 #bg-collabpads:before {content:'\f0c0';}

/* Hide PDF Exclude Tags*/
.hf-nsheader .pdfcreator-excludestart,
.hf-nsheader .pdfcreator-excludeend,
.hf-nsfooter .pdfcreator-excludestart,
.hf-nsfooter .pdfcreator-excludeend{
display: none;
}

/*Stile für die Unterseitennavigation über Erweiterung HeaderFooter */
.hf-navbox {background: #f2f3f9; padding:1em; margin-bottom:2em}
.hf-subpages .subpagelist ul { margin-top:1em; margin-bottom:1em; column-count:3 }
#mw-content-text .hf-subpages .subpagelist li {margin-top:0}
.hf-subpages .default {display:none; line-height:0; overflow:hidden} /*avoid empty space if there are no subpages*/
.wcagnote {border:1px solid #e9bb06;padding:2px 6px; border-radius:6px; background:#fffdeb;}

/* See ERM45154 */
html {
filter: none !important;
color-scheme: light !important;
}

Security:Security Advisories/BSSA-2025-06/CSAF20.json

2025-10-27T08:44:16Z

Rvogel1: Created page with "<syntaxhighlight lang="json"> { "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "title": "BlueSpice Security Advisory - October 2025", "publisher": { "name": "BlueSpice", "contact_details": "Reported by various community members", "category": "vendor", "namespace": "https://www.bluespice.com" }, "tracking": { "id": "BSSA-2025-05", "status": "final", "revision_history": [..."

<syntaxhighlight lang="json">
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"title": "BlueSpice Security Advisory - October 2025",
"publisher": {
"name": "BlueSpice",
"contact_details": "Reported by various community members",
"category": "vendor",
"namespace": "https://www.bluespice.com"
},
"tracking": {
"id": "BSSA-2025-05",
"status": "final",
"revision_history": [
{
"number": "1.0.0",
"date": "2025-10-27T01:00:00.000Z",
"summary": "Initial release"
}
],
"generator": {
"date": "2025-10-27T08:42:29.936Z",
"engine": {
"version": "2.5.38",
"name": "Secvisogram"
}
},
"current_release_date": "2025-10-27T11:00:00.000Z",
"initial_release_date": "2025-10-27T11:00:00.000Z",
"version": "1.0.0"
},
"notes": [
{
"title": "False positives in 4.5.7 audit",
"text": "Audit tools may detect CVE-2025-53625 and CVE-2025-59839 in builds of 4.5.7. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the 4.5.7 release do contain the necessary fixes for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.",
"category": "other",
"audience": "Sysadmins"
}
],
"acknowledgments": [
{
"names": [
"Various community members"
],
"organization": "BlueSpice",
"summary": "Reported by various community members"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61634",
"title": "Denial Of Service in MediaWiki Core / REST",
"notes": [
{
"type": "general",
"text": "Low severity. No mitigation provided.",
"category": "summary",
"title": "Summay"
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61636",
"title": "XSS in MediaWiki Core / HTMLForm",
"notes": [
{
"type": "general",
"text": "Low severity. Affected code not used in BlueSpice by default."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5"
]
}
},
{
"cve": "CVE-2025-61637",
"title": "XSS in MediaWiki Core / Preview",
"notes": [
{
"type": "general",
"text": "Low severity. Requires admin privileges (NS_MEDIAWIKI)."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5"
]
}
},
{
"cve": "CVE-2025-61638",
"title": "XSS in MediaWiki Core / Various",
"notes": [
{
"type": "general",
"text": "High severity. Part of standard editing functionality."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61639",
"title": "Information Disclosure in MediaWiki Core / RecentChanges",
"notes": [
{
"type": "general",
"text": "Medium severity. No mitigation provided."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61655",
"title": "XSS in Extension:VisualEditor",
"notes": [
{
"type": "general",
"text": "High severity. Part of standard editing functionality. Mitigation: Disable Extension:VisualEditor."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-59839",
"title": "XSS in Extension:EmbedVideo",
"notes": [
{
"type": "general",
"text": "High severity. Mitigation: Disable Extension:EmbedVideo."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-54370",
"title": "Server-side Request Forgery in Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics, and Extension:BlueSpiceUEModuleTable2Excel",
"notes": [
{
"type": "general",
"text": "Medium severity. Mitigation: Disable the affected extensions."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
}
]
}
</syntaxhighlight>

Security:Security Advisories/BSSA-2025-06

2025-10-27T08:31:13Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171]
* [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277]
* [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965]
* [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173]
* [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175]
* [https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625]
* [https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370]
* [https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839]
* [https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634]
* [https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635]
* [https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636]
* [https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637]
* [https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638]
* [https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639]
* [https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640]
* [https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641]
* [https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642]
* [https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643]
* [https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646]
* [https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652]
* [https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657]
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
|''<no information available>''
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
|''<no information available>''
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|Server-side Request Forgery
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|Arbitrary Code Execution
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|Memory Corruption
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|Use-After-Ffree
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-11173
| style="vertical-align:middle;text-align:left;" class="col-orange-bg" |Low
| style="vertical-align:middle;text-align:left;" |Disable Extension:OATHAuth
|-
|CVE-2025-11175
| style="" class="col-green-bg" |Part of distribution, but disabled by default
| -
|-
| CVE-2025-61634
| style="" class="col-orange-bg" |Low
| -
|-
|CVE-2025-61635
| style="" class="col-green-bg" |Part of distribution, but disabled by default
| -
|-
| CVE-2025-61636
| style="" class="col-orange-bg" |Low; Affected code not used in BlueSpice by default
| -
|-
| CVE-2025-61637
| style="" class="col-orange-bg" |Low; Requires admin privileges (<code>NS_MEDIAWIKI</code>)
| -
|-
| CVE-2025-61638
| style="" class="col-purple-bg" |High; Part of standard editing functionality
| -
|-
| CVE-2025-61639
| style="" class="col-red-bg" |Medium
| -
|-
| CVE-2025-61640
| style="" class="col-orange-bg" |Low; Requires admin privileges (<code>NS_MEDIAWIKI</code>)
| -
|-
| CVE-2025-61641
| style="" class="col-orange-bg" |Low
| -
|-
| CVE-2025-61642
| style="" class="col-orange-bg" |Low; Affected code not used in BlueSpice by default
| -
|-
| CVE-2025-61643
| style="" class="col-red-bg" |Medium
| -
|-
| CVE-2025-61646
| style="" class="col-red-bg" |Medium
| -
|-
|CVE-2025-61652
| style="" class="col-green-bg" |Part of distribution, but disabled by default
|
|-
| CVE-2025-61653
| style="" class="col-red-bg" |Medium
|Disable Extension:Popups and Extension:HoverCards
|-
| CVE-2025-61655
| style="" class="col-purple-bg" |High; Part of standard editing functionality
|Disable Extension:VisualEditor
|-
|CVE-2025-61656
| style="" class="col-purple-bg" |High; Part of standard editing functionality
|Disable Extension:VisualEditor
|-
|CVE-2025-61657
| style="" class="col-green-bg" |Part of distribution, but disabled by default
| -
|-
| CVE-2025-53625
| style="" class="col-red-bg" |Medium
|Disable Extension:DynamicPageList
|-
| CVE-2025-59839
| style="" class="col-purple-bg" |High
|Disable Extension:EmbedVideo
|-
| CVE-2025-54370
| style="" class="col-red-bg" |Medium
|Disable Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|-
|CVE-2025-3277
| style="" class="col-orange-bg" |Low
|Make sure <code>bluespice/database</code> is properly isolated from unauthorized external access
|-
|CVE-2025-6965
| style="" class="col-orange-bg" |Low
|Make sure <code>bluespice/database</code> is properly isolated from unauthorized external access
|-
|CVE-2024-56171
| style="" class="col-orange-bg" |Low
|Make sure <code>bluespice/database</code> is properly isolated from unauthorized external access
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T08:17:42Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171]
* [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277]
* [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965]
* [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173]
* [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175]
* [https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625]
* [https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370]
* [https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839]
* [https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634]
* [https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635]
* [https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636]
* [https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637]
* [https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638]
* [https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639]
* [https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640]
* [https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641]
* [https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642]
* [https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643]
* [https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646]
* [https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652]
* [https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657]
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
|''<no information available>''
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
|''<no information available>''
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|Server-side Request Forgery
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|Arbitrary Code Execution
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|Memory Corruption
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|Use-After-Ffree
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-11173
| style="vertical-align:middle;text-align:left;" |
| style="vertical-align:middle;text-align:left;" |
|-
|CVE-2025-11175
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61634
|
|
|-
|CVE-2025-61635
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
|CVE-2025-61652
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
|CVE-2025-61657
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:33:27Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171]
* [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277]
* [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965]
* [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173]
* [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175]
* [https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625]
* [https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370]
* [https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839]
* [https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634]
* [https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635]
* [https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636]
* [https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637]
* [https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638]
* [https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639]
* [https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640]
* [https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641]
* [https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642]
* [https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643]
* [https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646]
* [https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652]
* [https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657]
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
|
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
|
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| style="vertical-align:middle;text-align:left;" |CVE-2025-11173
| style="vertical-align:middle;text-align:left;" |
| style="vertical-align:middle;text-align:left;" |
|-
|CVE-2025-11175
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61634
|
|
|-
|CVE-2025-61635
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
|CVE-2025-61652
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
|CVE-2025-61657
|Part of distribution, but disabled by default
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:22:25Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171]
* [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277]
* [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965]
* [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173]
* [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175]
* [https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625]
* [https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370]
* [https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839]
* [https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634]
* [https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635]
* [https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636]
* [https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637]
* [https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638]
* [https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639]
* [https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640]
* [https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641]
* [https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642]
* [https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643]
* [https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646]
* [https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652]
* [https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657]
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure ( Part of distribution, but disabled by default )
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{{Textbox|boxtype=note|header=|text=This section only lists vulnerabilities that has been identified as affecting BlueSpice version 4 or 5|icon=yes}}
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| CVE-2025-61634
|
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
| CVE-2025-11173
|
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:21:07Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171]
* [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173]
* [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277]
* [https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625]
* [https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370]
* [https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839]
* [https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634]
* [https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635]
* [https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636]
* [https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637]
* [https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638]
* [https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639]
* [https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640]
* [https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641]
* [https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642]
* [https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643]
* [https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646]
* [https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652]
* [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175]
* [https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656]
* [https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657]
* [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965]

|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure ( Part of distribution, but disabled by default )
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{{Textbox|boxtype=note|header=|text=This section only lists vulnerabilities that has been identified as affecting BlueSpice version 4 or 5|icon=yes}}
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| CVE-2025-61634
|
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
| CVE-2025-11173
|
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:15:23Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure ( Part of distribution, but disabled by default )
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{{Textbox|boxtype=note|header=|text=This section only lists vulnerabilities that has been identified as affecting BlueSpice version 4 or 5|icon=yes}}
{| class="wikitable" style="width: 100%;"
! CVE !! Assessment !! Mitigation
|-
| CVE-2025-61634
|
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
| CVE-2025-11173
|
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:14:53Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| MediaWiki Core / REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| MediaWiki Core / Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| MediaWiki Core / Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| MediaWiki Core / RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| MediaWiki Core / RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| MediaWiki Core / ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| MediaWiki Core / HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| MediaWiki Core / RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| MediaWiki Core / RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure ( Part of distribution, but disabled by default )
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|Information disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
|CVE-2025-3277
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2025-6965
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|-
|CVE-2024-56171
|Container <code>bluespice/database</code>
|
| style="" class="col-green-bg" |not affected
| style="" class="col-purple-bg" |affected
|}

== Impact assessment ==
{{Textbox|boxtype=note|header=|text=This section only lists vulnerabilities that has been identified as affecting BlueSpice version 4 or 5|icon=yes}}
{| class="wikitable"
! CVE !! Assessment !! Mitigation
|-
| CVE-2025-61634
|
|
|-
| CVE-2025-61636
|
|
|-
| CVE-2025-61637
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-61639
|
|
|-
| CVE-2025-61640
|
|
|-
| CVE-2025-61641
|
|
|-
| CVE-2025-61642
|
|
|-
| CVE-2025-61643
|
|
|-
| CVE-2025-61646
|
|
|-
| CVE-2025-11173
|
|
|-
| CVE-2025-61653
|
|
|-
| CVE-2025-61655
|
|
|-
|CVE-2025-61656
|
|
|-
| CVE-2025-61638
|
|
|-
| CVE-2025-53625
|
|
|-
| CVE-2025-59839
|
|
|-
| CVE-2025-54370
|
|
|-
|CVE-2025-3277
|
|
|-
|CVE-2025-6965
|
|
|-
|CVE-2024-56171
|
|
|}

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-27T07:03:00Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
|}

== Problem ==
{{Textbox|boxtype=note|header=|text=The following list only contains items from [https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/TF4S5Y2324UIW3GOBPBWD2MSUSROG5GH/ MediaWiki 1.43.5 und 1.39.15], that are actually part of the BlueSpice distribution.|icon=yes}}
{| class="wikitable"
! CVE !! Component !! Type of vulnerability !! BlueSpice 5 !! BlueSpice 4
|-
| CVE-2025-61634
| Core/REST
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61636
| Core/HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61637
| Core/Preview
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Core/Various
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61639
| Core/RecentChanges
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61640
| Core/RecentChanges
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61641
| Core/ActionAPI
| Denial Of Service
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61642
| Core/HTMLForm
| XSS
| class="col-purple-bg" | affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61643
| Core/RecentChanges (Feed)
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61646
| Core/RecentChanges+Watchlist
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61635
| Extension:ConfirmEdit
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61652, CVE-2025-11175
| Extension:DiscussionTools
| Information Disclosure ( Part of distribution, but disabled by default )
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-11173
| Extension:OATHAuth
| Bypass authn at content check
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61653
| Extension:TextExtracts
| Information Disclosure
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61655, CVE-2025-61656
| Extension:VisualEditor
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-61657
| Skin:Vector
| Part of distribution, but disabled by default
| class="col-green-bg" | not affected
| class="col-green-bg" | not affected
|-
| CVE-2025-61638
| Parsoid
| XSS
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-53625
| Extension:DynamicPageList
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-59839
| Extension:EmbedVideo
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|-
| CVE-2025-54370
| Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel
|
| class="col-purple-bg" | affected
| class="col-purple-bg" | affected
|}

== Impact assessment ==
TDB

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-26T11:13:18Z

Rvogel1:

Security:Security Advisories/BSSA-2025-06

2025-10-26T11:05:41Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
|
* Current LTS version 5.1, < 5.1.3
* Legacy version 4.5, < 4.5.7
|-
|Fixed in
|
* 5.1.3
* 4.5.7
|-
|CVE
|
|}

== Problem ==

* CVE-2025-61634: Core/REST → Denial Of Service → BlueSpice 5 affected
* CVE-2025-61636: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61637: Core/Preview →XSS → BlueSpice 5 affected
* CVE-2025-61638: Core/Various →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61639: Core/RecentChanges → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61640: Core/RecentChanges → XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61641: Core/ActionAPI → Denial Of Service → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61642: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61643: Core/RecentChanges (Feed) → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61646: Core/RecentChanges+Watchlist → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61635: Extension:ConfirmEdit → Part of distribution, but disabled by default; Not affected
* CVE-2025-61652, CVE-2025-11175: Extension:DiscussionTools → Information Disclosure → Part of distribution, but disabled by default → Not affected
* CVE-2025-11173: Extension:OATHAuth → Bypass authn at content check → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61653: Extension:TextExtracts → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61655, CVE-2025-61656: Extension:VisualEditor →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61657: Skin:Vector - Part of distribution, but disabled by default; Not affected
* CVE-2025-61638: Parsoid → XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-53625: Extension:DynamicPageList → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-59839: Extension:EmbedVideo → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-54370: Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel → BlueSpice 5 affected, BlueSpice 4 affected

== Impact assessment ==
TDB

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-20T14:26:28Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
| Current LTS version 5.1, < 5.1.3; Legacy version 4.5, < 4.5.7
|-
|Fixed in
|5.1.3; 4.5.7
|-
|CVE
|
|}

== Problem ==

* CVE-2025-61634: Core/REST → Denial Of Service → BlueSpice 5 affected
* CVE-2025-61636: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61637: Core/Preview →XSS → BlueSpice 5 affected
* CVE-2025-61638: Core/Various →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61639: Core/RecentChanges → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61640: Core/RecentChanges → XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61641: Core/ActionAPI → Denial Of Service → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61642: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61643: Core/RecentChanges (Feed) → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61646: Core/RecentChanges+Watchlist → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61635: Extension:ConfirmEdit → Part of distribution, but disabled by default; Not affected
* CVE-2025-61652, CVE-2025-11175: Extension:DiscussionTools → Information Disclosure → Part of distribution, but disabled by default → Not affected
* CVE-2025-11173: Extension:OATHAuth → Bypass authn at content check → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61653: Extension:TextExtracts → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61655, CVE-2025-61656: Extension:VisualEditor →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61657: Skin:Vector - Part of distribution, but disabled by default; Not affected
* CVE-2025-61638: Parsoid → XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-53625: Extension:DynamicPageList → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-59839: Extension:EmbedVideo → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-54370: Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel → BlueSpice 5 affected, BlueSpice 4 affected

== Impact assessment ==
TDB

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-20T14:14:53Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
| Current LTS version 5.1, < 5.1.3; Legacy version 4.5, < 4.5.7
|-
|Fixed in
|5.1.3; 4.5.7
|-
|CVE
|
|}

== Problem ==

* CVE-2025-61634: Core/REST → Denial Of Service → BlueSpice 5 affected
* CVE-2025-61636: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61637: Core/Preview →XSS → BlueSpice 5 affected
* CVE-2025-61638: Core/Various →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61639: Core/RecentChanges → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61640: Core/RecentChanges → XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61641: Core/ActionAPI → Denial Of Service → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61642: Core/HTMLForm → XSS → BlueSpice 5 affected
* CVE-2025-61643: Core/RecentChanges (Feed) → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61646: Core/RecentChanges+Watchlist → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61635: Extension:ConfirmEdit → Part of distribution, but disabled by default; Not affected
* CVE-2025-61652, CVE-2025-11175: Extension:DiscussionTools → Information Disclosure → Part of distribution, but disabled by default → Not affected
* CVE-2025-11173: Extension:OATHAuth → Bypass authn at content check → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61653: Extension:TextExtracts → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61655, CVE-2025-61656: Extension:VisualEditor →XSS → BlueSpice 5 affected, BlueSpice 4 affected
* CVE-2025-61657: Skin:Vector - Part of distribution, but disabled by default; Not affected
* CVE-2025-61638: Parsoid → XSS → BlueSpice 5 affected, BlueSpice 4 affected

== Impact assessment ==

*

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-20T06:37:06Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-10-22
|-
|Severity
|
|-
|Affected
| Current LTS version 5.1, < 5.1.3; Legacy version 4.5, < 4.5.7
|-
|Fixed in
|5.1.3; 4.5.7
|-
|CVE
|
|}

== Problem ==

*

== Impact assessment ==

*

== Solution ==

* Update to BlueSpice 5.1.3
* Update to BlueSpice 4.5.7
{{Textbox|boxtype=important|header=False positives in 4.5.7 audit|text=Audit tools may detect <code>CVE-2025-53625</code> and <code>CVE-2025-59839</code> in builds of <code>4.5.7</code>. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the <code>4.5.7</code> release '''do contain the neccessary fixes''' for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.|icon=yes}}

== Acknowledgements ==
Reported by various community members

Security:Security Advisories/BSSA-2025-06

2025-10-20T06:29:14Z

Rvogel1: Created page with "{| class="wikitable" |+ ! ! |- |Date |2025-09-19 |- |Severity |Medium |- |Affected | Current LTS version 5.1, < 5.1.2 |- |Fixed in |5.1.2 |- |CVE | [https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114] |} == Problem == * XSS in Extension:AtMentions * XSS in Extens..."

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-19
|-
|Severity
|Medium
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|
[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|}

== Problem ==

* XSS in Extension:AtMentions
* XSS in Extension:BlueSpiceAvatars
* XSS in Extension:BlueSpiceWhoIsOnline
* XSS in Extension:CognitiveProcessDesigner

== Impact assessment ==

* Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
* Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

== Solution ==
Update to BlueSpice 5.1.2

== Acknowledgements ==
Reported by [https://github.com/SomeMWDev/ SomeRandomDeveloper]

Security:Security Advisories

2025-10-07T06:06:29Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2023-02|BSSA-2023-02]]
|2023-10-30
|Security vulnerabilities in Extension:BlueSpiceAvatars
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|Allows Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
|}

Security:Security Advisories

2025-09-22T06:31:07Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
|}

Security:Security Advisories/BSSA-2025-05

2025-09-22T06:30:54Z

Rvogel1:

Security:Security Advisories

2025-09-22T06:27:01Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
|-
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2025-09-19
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-CVE-2025-58114 CVE-2025-58114]
|Cross-Site Scripting (XSS)
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
|}

Security:Security Advisories/BSSA-2025-05

2025-09-22T06:26:20Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-19
|-
|Severity
|Medium
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|
[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-CVE-2025-58114 CVE-2025-58114]
|}

== Problem ==

* XSS in Extension:AtMentions
* XSS in Extension:BlueSpiceAvatars
* XSS in Extension:BlueSpiceWhoIsOnline
* XSS in Extension:CognitiveProcessDesigner

== Impact assessment ==

* Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
* Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

== Solution ==
Update to BlueSpice 5.1.2

== Acknowledgements ==
Reported by [https://github.com/SomeMWDev/ SomeRandomDeveloper]

Security:Security Advisories/BSSA-2025-05

2025-09-22T06:25:52Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-19
|-
|Severity
|Medium
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|
[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880],[https://www.cve.org/CVERecord?id=CVE-CVE-2025-58114 CVE-2025-58114]
|}

== Problem ==

* XSS in Extension:AtMentions
* XSS in Extension:BlueSpiceAvatars
* XSS in Extension:BlueSpiceWhoIsOnline
* XSS in Extension:CognitiveProcessDesigner

== Impact assessment ==

* Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
* Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

== Solution ==
Update to BlueSpice 5.1.2

== Acknowledgements ==
Reported by [https://github.com/SomeMWDev/ SomeRandomDeveloper]

Security:Security Advisories/BSSA-2025-05

2025-09-19T13:07:07Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-??
|-
|Severity
|TBD
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|
[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880],[https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880]
|}

== Problem ==

* XSS in Extension:AtMentions
* XSS in Extension:BlueSpiceAvatars
* XSS in Extension:BlueSpiceWhoIsOnline
* XSS in Extension:CognitiveProcessDesigner

== Impact assessment ==

* Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
* Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

== Solution ==
Update to BlueSpice 5.1.2

== Acknowledgements ==
Reported by [https://github.com/SomeMWDev/ SomeRandomDeveloper]

Security:Hall of Fame

2025-09-18T12:38:37Z

Rvogel1:

{| class="wikitable" style="width:100%;"
! style="width:200px;" |Date
! style="width:200px;" |Name
!Issue
|-
| style="width:200px;" |2025-09-07
| style="width:200px;" |[https://github.com/SomeMWDev/ SomeRandomDeveloper]
|See [[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|}

Security:Security Advisories/BSSA-2025-05

2025-09-18T07:49:00Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-??
|-
|Severity
|TBD
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|TBD
|}

== Problem ==

* XSS in Extension:AtMentions
* XSS in Extension:BlueSpiceAvatars
* XSS in Extension:BlueSpiceWhoIsOnline
* XSS in Extension:CognitiveProcessDesigner

== Impact assessment ==

* Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
* Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

== Solution ==
Update to BlueSpice 5.1.2

== Acknowledgements ==
Reported by [https://github.com/SomeMWDev/ SomeRandomDeveloper]

Security:Security Advisories/BSSA-2025-04

2025-09-18T07:47:07Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-18
|-
|Severity
|reported "critical", BlueSpice assessment: '''low'''
|-
|Affected
| Services in current LTS version 5.1
|-
|Fixed in
|fix not yet available
|-
|CVE
| [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|}

==Problem==

* Service <code>bluespice/search</code>- [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988]
* Service <code>bluespice/formula</code> - [https://avd.aquasec.com/nvd/2025/cve-2025-7783/ CVE-2025-7783/]
* Service <code>bluespice/wiki</code>
** PCRE: [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050]
** libxml: [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794] and [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]

==Impact assessment==

* Service <code>bluespice/search</code>
** The issues has already been fixed in the upstream repository, but there was no official release yet
** A manipulated PDF file needs to be uploaded to the wiki, which usually requires an authenticated user context. The service runs only in the background and can not be accessed from outside the virtual network. It has limited access to the host system.
* Service <code>bluespice/formula</code>
** Caused by a dependency of [https://www.npmjs.com/package/coveralls coveralls]
** Not used production code
* Service <code>bluespice/wiki</code>
** No direct usage of those libraries
** Only accessed via PHP
** Main impacts are potential information disclose and denial-of-service
*** No critical information can be disclosed

== Solution ==
To mitigate <code>CVE-2025-54988</code> one can make sure the service has no access to the internet.

Besides this, there is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.

Security:Security Advisories/BSSA-2025-04

2025-09-18T07:33:17Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-18
|-
|Severity
|reported "critical", BlueSpice assessment: '''low'''
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|fix not yet available
|-
|CVE
| [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|}

==Problem==

* Service <code>bluespice/search</code>- [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988]
* Service <code>bluespice/formula</code> - [https://avd.aquasec.com/nvd/2025/cve-2025-7783/ CVE-2025-7783/]
* Service <code>bluespice/wiki</code>
** PCRE: [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050]
** libxml: [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794] and [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]

==Impact assessment==

* Service <code>bluespice/search</code>
** The issues has already been fixed in the upstream repository, but there was no official release yet
** A manipulated PDF file needs to be uploaded to the wiki, which usually requires an authenticated user context. The service runs only in the background and can not be accessed from outside the virtual network. It has limited access to the host system.
* Service <code>bluespice/formula</code>
** Caused by a dependency of [https://www.npmjs.com/package/coveralls coveralls]
** Not used production code
* Service <code>bluespice/wiki</code>
** No direct usage of those libraries
** Only accessed via PHP
** Main impacts are potential information disclose and denial-of-service
*** No critical information can be disclosed

== Solution ==
To mitigate <code>CVE-2025-54988</code> one can make sure the service has no access to the internet.

Besides this, there is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.

Security:Security Advisories/BSSA-2025-05

2025-09-18T07:33:04Z

Rvogel1: Created page with "{| class="wikitable" |+ ! ! |- |Date |2025-09-?? |- |Severity | |- |Affected | < 5.1.2 |- |Fixed in |5.1.2 |- |CVE | |} == Problem == TBD == Impact assessment == TBD == Solution == Update to BlueSpice 5.1.2"

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-??
|-
|Severity
|
|-
|Affected
| < 5.1.2
|-
|Fixed in
|5.1.2
|-
|CVE
|
|}

== Problem ==

TBD

== Impact assessment ==
TBD

== Solution ==
Update to BlueSpice 5.1.2

Security:Security Advisories

2025-09-18T07:31:18Z

Rvogel1:

{| class="wikitable sortable" style="width:100%;"
! style="" |Release name
! style="" |Release date
! style="" |Title
! style="" |References
! style="" |Summary
|-
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2025-09-18
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Denial-of-Service, Information Disclosure
|-
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2025-07-28
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Information Disclosure, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
| style="" |2025-04-17
| style="" |Security vulnerabilities in Extension:OAuth
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
| style="" |2025-01-20
| style="" |Security vulnerabilities in Extension:DataTransfer
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
|}

Security:Security Advisories/BSSA-2025-04

2025-09-17T12:23:18Z

Rvogel1:

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-17
|-
|Severity
|reported "critical", BlueSpice assessment: '''low'''
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|fix not yet available
|-
|CVE
| [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|}

==Problem==

* Service <code>bluespice/search</code>- [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988]
* Service <code>bluespice/formula</code> - [https://avd.aquasec.com/nvd/2025/cve-2025-7783/ CVE-2025-7783/]
* Service <code>bluespice/wiki</code>
** PCRE: [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050]
** libxml: [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794] and [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]

==Impact assessment==

* Service <code>bluespice/search</code>
** The issues has already been fixed in the upstream repository, but there was no official release yet
** A manipulated PDF file needs to be uploaded to the wiki, which usually requires an authenticated user context. The service runs only in the background and can not be accessed from outside the virtual network. It has limited access to the host system.
* Service <code>bluespice/formula</code>
** Caused by a dependency of [https://www.npmjs.com/package/coveralls coveralls]
** Not used production code
* Service <code>bluespice/wiki</code>
** No direct usage of those libraries
** Only accessed via PHP
** Main impacts are potential information disclose and denial-of-service
*** No critical information can be disclosed

== Solution ==
To mitigate <code>CVE-2025-54988</code> one can make sure the service has no access to the internet.

Besides this, there is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.

Security:Security Advisories/BSSA-2025-04

2025-09-17T11:31:16Z

Rvogel1: Created page with "{| class="wikitable" |+ ! ! |- |Date |2025-09-17 |- |Severity |reported "critical", BlueSpice assessment: '''low''' |- |Affected | Current LTS version 5.1, < 5.1.2 |- |Fixed in |fix not yet available |- |CVE | [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796] |} ==Problem=..."

{| class="wikitable"
|+
!
!
|-
|Date
|2025-09-17
|-
|Severity
|reported "critical", BlueSpice assessment: '''low'''
|-
|Affected
| Current LTS version 5.1, < 5.1.2
|-
|Fixed in
|fix not yet available
|-
|CVE
| [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|}

==Problem==

* Service <code>bluespice/search</code>
** [https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988]
** XXE; Fixed in code, not yet released by vendor
* Service <code>bluespice/formula</code>
** [https://avd.aquasec.com/nvd/2025/cve-2025-7783/ CVE-2025-7783/]
** Caused by a dependency of [https://www.npmjs.com/package/coveralls coveralls]; Not used by any production code.
* Service <code>bluespice/wiki</code>
** PCRE: [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050]
** libxml: [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794] and [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]

==Impact assessment==

* Service <code>bluespice/search</code>
* Service <code>bluespice/formula</code>
* Service <code>bluespice/wiki</code>

== Solution ==
There is currently no solution to those issues. Once the upstream vendors release fixed packages, the next patchlevel release of BlueSpice will contain them.

How to debug

2025-08-18T08:20:10Z

Rvogel1:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

===== Important log channels =====
{{Textbox|boxtype=important|header=Channel names must be ''exactly'' like listed here! Watch out for casing and spaces!|text=|icon=yes}}
{| class="wikitable"
!Source (Extension)
!Channel name(s)
!Use case
|-
|MW CORE
|<code>http</code>, <code>HttpError</code>
<code>JobExecutor</code>

<code>LocalFile</code>

<code>exception</code>

<code>DeferredUpdates</code>

<code>Parsoid</code>

<code>resourceloader</code>

<code>runJobs</code>

<code>session</code>, <code>login</code>

...
|
|-
|MWSTAKE COMPONENTS
|<code>ContentProvisioner</code>
<code>runjobs-trigger-runner</code>
|
|-
|Math
|<code>Math</code>
|Math
|-
|PluggableAuth
|<code>PluggableAuth</code>
|LDAP, SAML, OpenIDConnect
|-
|LDAPProvider
|<code>LDAP</code>
<code>MediaWiki\\Extension\\LDAPProvider\\Client</code>
|LDAP
|-
|LDAPAuthentication2
|<code>LDAPAuthentication2</code>
|LDAP
|-
|LDAPGroups
|<code>LDAPGroups</code>
|LDAP
|-
|LDAPUserInfo
|<code>LDAPUserInfo</code>
|LDAP
|-
|LDAPSyncAll
|<code>LDAPSyncAll</code>
|LDAP
|-
|LDAPAuthorization
|<code>LDAPAuthorization</code>
|LDAP
|-
|Auth_remoteuser
|<code>session</code>
|LDAP (SSO/Kerberos)
|-
|SimpleSAMLphp
|<code>SimpleSAMLphp</code>
|SAML
|-
|OpenIDConnect
|<code>OpenID Connect</code>
|OpenIDConnect
|-
|ImportOfficeFiles
|<code>ImportOfficeFiles</code>
<code>ImportOfficeFiles_RemoveOrphanedDirectories</code>

<code>ImportOfficeFiles_UI</code>
|
|-
|Workflows
|<code>workflows</code>
|
|-
|BlueSpiceArticlePreviewCapture
|<code>ArticlePreviewCapture</code>
|
|-
|OAuth
|<code>OAuth</code>
|
|-
|BlueSpiceUEModulePDF, BlueSpiceUEModuleBookPDF
|<code>BS::UEModulePDF</code>
|PDF
|-
|BlueSpiceExtendedSearch
|<code>BSExtendedSearch</code>
|Search
|-
|BlueSpiceWikiFarm
|<code>SimpleFarmerAPI</code>
|Farm operations
|}

===== Default exception log =====
By default, the application logs the channels <code>error</code> and <code>exception</code> into the regular PHP error log. In case <code>$wgShowExceptionDetails</code> is set to <code>false</code> , an user may just see something like this:
[[File:How to debug Internal Error No Details.png|border|center|thumb|617x617px]]
In such cases , administrators can check the PHP error log for the unique "error id".

Example:<syntaxhighlight lang="text">
> grep 48f97a8a07b0d68f245bf15d /var/logs/php_error

PHP message: [2024-10-04T15:02:47.217190+02:00] exception.ERROR: [48f97a8a07b0d68f245bf15d] /wiki/Special:Books Exception: File not found
{
"exception": "[object] (Exception(code: 0): File not found at /app/bluespice/w/extensions/BlueSpiceBookshelf/src/Special/Books.php:31)",
"exception_url": "/wiki/Special:Books",
"reqId": "48f97a8a07b0d68f245bf15d",
"caught_by": "entrypoint"
}
{
"host": "dc7af0034e3b",
"wiki": "bluespice",
"mwversion": "1.39.10",
"reqId": "48f97a8a07b0d68f245bf15d"
}
</syntaxhighlight>

=== Clientside output of serverside logs ===
Can be enabled using [[mediawikiwiki:Manual:$wgDebugToolbar|$wgDebugToolbar]]

Example:<syntaxhighlight lang="php">
$GLOBALS['wgDebugToolbar'] = isset( $_GET['dodebugtoolbar'] )
</syntaxhighlight>

With this setting you can append <code>?dodebugtoolbar=1</code> to the URL in the addressbar of your browser.

<gallery>
File:How to debug DebugToolbar1.png
File:How to debug DebugToolbar2.png
File:How to debug DebugToolbar3.png
File:How to debug DebugToolbar4.png
</gallery>

{{Textbox|boxtype=important|header=Incompatible with <code>$bsgDebugLogGroups</code>!|text=If you have any debug log channel wired via <code>$bsgDebugLogGroups</code> the clientside debug toolbar will not show all information. Some panels may be empty.|icon=yes}}

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}

'''Example:'''

[[File:How_to_debug_JS_console_01.png|center|frame]]

One can click the link on the right side of the line to see the location of where the error has emerged from.

'''Example:'''

[[File:How_to_debug_JS_console_02.png|center|frame]]

====Network panel====
Sometimes network communication in the background of the application fails. In such cases, the "Network" panel of the browsers developer tools may reveal more information.

The error is also shown in the "Console" tab.

'''Example:'''

[[File:How_to_debug_Network_panel_01.png|center|frame]]

When in the "Network" panel, one can select the faulty request from the list to get more information.

'''Example:'''

[[File:How_to_debug_Network_panel_02.png|center|frame]]

The various tabs "Header", "Payload", "Response", etc. can provide useful information. When reporting such an issue, you can just "copy" the information using the context menu.

'''Example:'''

[[File:How_to_debug_Network_panel_03.png|center|frame]]

====Network panel: Record complete communication====
Sometimes it may be required to record a series of network requests and responses in order to debug. This is especially true for '''login related''' issues.{{Textbox
|boxtype=warning
|header=Do not share sensitive information in public places
|text=Make sure to only provide trustworthy parties with this kind of information. Do not post this in public places like https://community.bluespice.com
Use secure communication channels for transmission.
|icon=yes
}}

# Open a “private widow”
# Enable “Preserve log” in the “nework” panel of the browsers developer tools (F12)[[File:How to debug Network panel all 01.png|center|thumb|300x300px]]
# Enable"Allow to generate HAR with sensitive data" in the developer tools settings[[File:How to debug Network panel all 02.png|center|thumb|300x300px]][[File:How to debug Network panel all 03.png|center|thumb|300x300px]]
# Play through the entire process
# Save the HAR file for further analysis.[[File:How to debug Network panel all 04.png|center|thumb|300x300px]]

How to debug

2025-08-18T08:18:03Z

Rvogel1:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

===== Important log channels =====
{{Textbox|boxtype=important|header=Channel names must be ''exactly'' like listed here! Watch out for casing and spaces!|text=|icon=yes}}
{| class="wikitable"
!Source (Extension)
!Channel name(s)
!Use case
|-
|MW CORE
|<code>http</code>, <code>HttpError</code>
<code>JobExecutor</code>

<code>LocalFile</code>

<code>exception</code>

<code>DeferredUpdates</code>

<code>Parsoid</code>

<code>resourceloader</code>

<code>runJobs</code>

<code>session</code>, <code>login</code>

...
|
|-
|MWSTAKE COMPONENTS
|<code>ContentProvisioner</code>
<code>runjobs-trigger-runner</code>
|
|-
|Math
|<code>Math</code>
|Math
|-
|PluggableAuth
|<code>PluggableAuth</code>
|LDAP, SAML, OpenIDConnect
|-
|LDAPProvider
|<code>LDAP</code>
<code>MediaWiki\\Extension\\LDAPProvider\\Client</code>
|LDAP
|-
|LDAPAuthentication2
|<code>LDAPAuthentication2</code>
|LDAP
|-
|LDAPGroups
|<code>LDAPGroups</code>
|LDAP
|-
|LDAPUserInfo
|<code>LDAPUserInfo</code>
|LDAP
|-
|LDAPSyncAll
|<code>LDAPSyncAll</code>
|LDAP
|-
|LDAPAuthorization
|<code>LDAPAuthorization</code>
|LDAP
|-
|Auth_remoteuser
|<code>session</code>
|LDAP (SSO/Kerberos)
|-
|SimpleSAMLphp
|<code>SimpleSAMLphp</code>
|SAML
|-
|OpenIDConnect
|<code>OpenID Connect</code>
|OpenIDConnect
|-
|ImportOfficeFiles
|<code>ImportOfficeFiles</code>
<code>ImportOfficeFiles_RemoveOrphanedDirectories</code>

<code>ImportOfficeFiles_UI</code>
|
|-
|Workflows
|<code>workflows</code>
|
|-
|BlueSpiceArticlePreviewCapture
|<code>ArticlePreviewCapture</code>
|
|-
|OAuth
|<code>OAuth</code>
|
|-
|BlueSpiceUEModulePDF, BlueSpiceUEModuleBookPDF
|<code>BS::UEModulePDF</code>
|PDF
|-
|BlueSpiceExtendedSearch
|<code>BSExtendedSearch</code>
|Search
|-
|BlueSpiceWikiFarm
|<code>SimpleFarmerAPI</code>
|Farm operations
|}

===== Default exception log =====
By default, the application logs the channels <code>error</code> and <code>exception</code> into the regular PHP error log. In case <code>$wgShowExceptionDetails</code> is set to <code>false</code> , an user may just see something like this:
[[File:How to debug Internal Error No Details.png|border|center|thumb|617x617px]]
In such cases , administrators can check the PHP error log for the unique "error id".

Example:<syntaxhighlight lang="text">
> grep 48f97a8a07b0d68f245bf15d /var/logs/php_error

PHP message: [2024-10-04T15:02:47.217190+02:00] exception.ERROR: [48f97a8a07b0d68f245bf15d] /wiki/Special:Books Exception: File not found
{
"exception": "[object] (Exception(code: 0): File not found at /app/bluespice/w/extensions/BlueSpiceBookshelf/src/Special/Books.php:31)",
"exception_url": "/wiki/Special:Books",
"reqId": "48f97a8a07b0d68f245bf15d",
"caught_by": "entrypoint"
}
{
"host": "dc7af0034e3b",
"wiki": "bluespice",
"mwversion": "1.39.10",
"reqId": "48f97a8a07b0d68f245bf15d"
}
</syntaxhighlight>

=== Clientside output of serverside logs ===
Can be enabled using [[mediawikiwiki:Manual:$wgDebugToolbar|$wgDebugToolbar]]

Example:<syntaxhighlight lang="php">
$GLOBALS['wgDebugToolbar'] = isset( $_GET['dodebugtoolbar'] )
</syntaxhighlight>

With this setting you can append <code>?dodebugtoolbar=1</code> to the URL in the addressbar of your browser.

<gallery>
File:How to debug DebugToolbar1.png
File:How to debug DebugToolbar2.png
File:How to debug DebugToolbar3.png
File:How to debug DebugToolbar4.png
</gallery>

{{Textbox|boxtype=important|header=Incompatible with <code>$bsgDebugLogGroups</code>!|text=If you have any debug log channel wired via <code>$bsgDebugLogGroups</code> the clientside debug toolbar will not show all information. Some panels may be empty.|icon=yes}}

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}

'''Example:'''

[[File:How_to_debug_JS_console_01.png|center|frame]]

One can click the link on the right side of the line to see the location of where the error has emerged from.

'''Example:'''

[[File:How_to_debug_JS_console_02.png|center|frame]]

====Network panel====
Sometimes network communication in the background of the application fails. In such cases, the "Network" panel of the browsers developer tools may reveal more information.

The error is also shown in the "Console" tab.

'''Example:'''

[[File:How_to_debug_Network_panel_01.png|center|frame]]

When in the "Network" panel, one can select the faulty request from the list to get more information.

'''Example:'''

[[File:How_to_debug_Network_panel_02.png|center|frame]]

The various tabs "Header", "Payload", "Response", etc. can provide useful information. When reporting such an issue, you can just "copy" the information using the context menu.

'''Example:'''

[[File:How_to_debug_Network_panel_03.png|center|frame]]

====Network panel: Record complete communication====
Sometimes it may be required to{{Textbox
|boxtype=warning
|header=Do not share sensitive information in public places
|text=Make sure to only provide trustworthy parties with this kind of information. Do not post this in public places like https://community.bluespice.com
Use secure communication channels for transmission.
|icon=yes
}}

# Open a “private widow”
# Enable “Preserve log” in the “nework” panel of the browsers developer tools (F12)[[File:How to debug Network panel all 01.png|center|thumb|300x300px]]
# Enable"Allow to generate HAR with sensitive data" in the developer tools settings[[File:How to debug Network panel all 02.png|center|thumb|300x300px]][[File:How to debug Network panel all 03.png|center|thumb|300x300px]]
# Play through the entire process
# Save the HAR file for further analysis.[[File:How to debug Network panel all 04.png|center|thumb|300x300px]]