Security:Security Advisories/BSSA-2025-06: Difference between revisions

Back to version history
Newer edit →
VisualWikitext
Created page with "{| class="wikitable" |+ ! ! |- |Date |2025-09-19 |- |Severity |Medium |- |Affected | Current LTS version 5.1, < 5.1.2 |- |Fixed in |5.1.2 |- |CVE | [https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114] |} == Problem == * XSS in Extension:AtMentions * XSS in Extens..."
(No difference)

Revision as of 06:29, 20 October 2025

Date 2025-09-19
Severity Medium
Affected Current LTS version 5.1, < 5.1.2
Fixed in 5.1.2
CVE

CVE-2025-46703, CVE-2025-48007, CVE-2025-57880, CVE-2025-58114

Problem

  • XSS in Extension:AtMentions
  • XSS in Extension:BlueSpiceAvatars
  • XSS in Extension:BlueSpiceWhoIsOnline
  • XSS in Extension:CognitiveProcessDesigner

Impact assessment

  • Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
  • Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions

Solution

Update to BlueSpice 5.1.2

Acknowledgements

Reported by SomeRandomDeveloper

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2025-06&oldid=13120"