Security:Security Advisories/BSSA-2025-02: Difference between revisions

Latest revision as of 14:03, 30 April 2025



Date	2025-04-17
Severity	reported 10.0, BlueSpice assessment: medium
Affected	MediaWiki extension OAuth, ConfirmAccount
Fixed in	fix not yet available; workaround available
CVE	CVE-2025-32068, CVE-2025-32074

Problem

MediaWiki issued a security release affecting core and several extensions. This is also included in a BSI security advisory WID-SEC-2025-0790

BlueSpice is mostly not affected, with the notable exception of

Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions

Impact assessment

Summary: BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a medium threat.

Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.

Solution

Hallo Welt! is working on an updated release.

We recommend updating to BlueSpice 4.5.5 (not yet published).
If an update is not possible, customers can simply deactivate the OAuth extension.

Acknowledgements

Reported by BSI.

@@ Line 1: / Line 1: @@
-{{Featurepage|featured=true|featuredesc=CVE-2025-32068, CVE-2025-32068: Security vulnerabilities in extension OAuth and ConfirmAccount|featurestart=04/17/2025}}
 {| class="wikitable"
 |+