Date | 2025-01-20 |
Severity | not reported |
Affected | MediaWiki extension DataTransfer |
Fixed in | BlueSpice 4.5.4 |
CVE | CVE-2025-23081 |
Problem
CVE-2025-23081 mentions several security issues with MediaWiki extensions < 1.39.11 .
BlueSpice only uses one of these extensions: DataTransfer.
- CVE-2025-23072: Concerns Extension:RefreshSpecial → not included in BlueSpice distribution → not affected
- CVE-2025-23073: Concerns Extension:GlobalBlocking → not included in BlueSpice distribution → not affected
- CVE-2025-23074: Concerns Extension:SocialProfile → not included in BlueSpice distribution → not affected
- CVE-2025-23078: Concerns Extension:Breadcrumbs2 → not included in BlueSpice distribution → not affected
- CVE-2025-23079: Concerns Extension:ArticleFeedbackv5 → not included in BlueSpice distribution → not affected
- CVE-2025-23080: Concerns Extension:OpenBadges → not included in BlueSpice distribution → not affected
- CVE-2025-23081: Concerns Extension:DataTransfer → Included in BlueSpice distribution → affected
- → BlueSpice 4.5.3 is affected
- → BlueSpice 4.5.4 ist not affected
Impact assessment
- There is no official assessment by the author of the CVE. XSS and CSRF attacks in general allow identity theft and privilege escalation. This security vulnerability can only be exploited by users who are created in the wiki (including those who have been created and blocked).
Solution
- We recommend updating to BlueSpice 4.5.4.
- If an update is not possible, customers can simply deactivate the DataTransfer extension.
Acknowledgements
Reported by a customer.