BSSA-2025-01

Date 2025-01-20
Severity not reported
Affected MediaWiki extension DataTransfer
Fixed in BlueSpice 4.5.4
CVE CVE-2025-23081

Problem

CVE-2025-23081 mentions several security issues with MediaWiki extensions < 1.39.11 .
BlueSpice only uses one of these extensions: DataTransfer.

  • CVE-2025-23072: Concerns Extension:RefreshSpecial → not included in BlueSpice distribution → not affected
  • CVE-2025-23073: Concerns Extension:GlobalBlocking → not included in BlueSpice distribution → not affected
  • CVE-2025-23074: Concerns Extension:SocialProfile → not included in BlueSpice distribution → not affected
  • CVE-2025-23078: Concerns Extension:Breadcrumbs2 → not included in BlueSpice distribution → not affected
  • CVE-2025-23079: Concerns Extension:ArticleFeedbackv5 → not included in BlueSpice distribution → not affected
  • CVE-2025-23080: Concerns Extension:OpenBadges → not included in BlueSpice distribution → not affected
  • CVE-2025-23081: Concerns Extension:DataTransferIncluded in BlueSpice distributionaffected
    • → BlueSpice 4.5.3 is affected
    • → BlueSpice 4.5.4 ist not affected

Impact assessment

  • There is no official assessment by the author of the CVE. XSS and CSRF attacks in general allow identity theft and privilege escalation. This security vulnerability can only be exploited by users who are created in the wiki (including those who have been created and blocked).

Solution

  • We recommend updating to BlueSpice 4.5.4.
  • If an update is not possible, customers can simply deactivate the DataTransfer extension.

Acknowledgements

Reported by a customer.