Security:Security Advisories/BSSA-2025-01: Difference between revisions

Latest revision as of 13:32, 27 February 2025



Date	2025-01-20
Severity	not reported
Affected	MediaWiki extension DataTransfer
Fixed in	BlueSpice 4.5.4
CVE	CVE-2025-23081

CVE-2025-23081 mentions several security issues with MediaWiki extensions < 1.39.11 .
BlueSpice only uses one of these extensions: DataTransfer.

CVE-2025-23072: Concerns Extension:RefreshSpecial → not included in BlueSpice distribution → not affected
CVE-2025-23073: Concerns Extension:GlobalBlocking → not included in BlueSpice distribution → not affected
CVE-2025-23074: Concerns Extension:SocialProfile → not included in BlueSpice distribution → not affected
CVE-2025-23078: Concerns Extension:Breadcrumbs2 → not included in BlueSpice distribution → not affected
CVE-2025-23079: Concerns Extension:ArticleFeedbackv5 → not included in BlueSpice distribution → not affected
CVE-2025-23080: Concerns Extension:OpenBadges → not included in BlueSpice distribution → not affected
CVE-2025-23081: Concerns Extension:DataTransfer → Included in BlueSpice distribution → affected
- → BlueSpice 4.5.3 is affected
- → BlueSpice 4.5.4 ist not affected

There is no official assessment by the author of the CVE. XSS and CSRF attacks in general allow identity theft and privilege escalation. This security vulnerability can only be exploited by users who are created in the wiki (including those who have been created and blocked).

We recommend updating to BlueSpice 4.5.4.
If an update is not possible, customers can simply deactivate the DataTransfer extension.

Reported by a customer.

@@ Line 1: / Line 1: @@
-{{Featurepage|featured=true|featuredesc=CVE-2025-23081: Security vulnerabilities in extension DataTransfer|featurestart=01/20/2025}}
 {| class="wikitable"
 |+