| Date | 2025-04-17 |
| Severity | reported 10.0, BlueSpice assessment: medium |
| Affected | MediaWiki extension OAuth, ConfirmAccount |
| Fixed in | fix not yet available; workaround available |
| CVE | CVE-2025-32068, CVE-2025-32074 |
Problem
MediaWiki issued a security release affecting core and several extensions. This is also included in a BSI security advisory WID-SEC-2025-0790
BlueSpice is mostly not affected, with the notable exception of
- Extension:OAuth. This is shipped in all BlueSpice versions > 4.4
- Extension:ConfirmAccount. This is only shipped in BlueSpice cloud editions
Impact assessment
Summary: BlueSpice 4.5.x is affected, but only in edge case usage. The CVE rating of 10.0 does not apply in the context of BlueSpice. We rate it a medium threat.
- Extension:OAuth. A consumer can get a new access token which remains valid and thus gain access. This is only the case if OAuth extension is actively in use and an access token has been granted and revoked afterwards.
- Extension:ConfirmAccount. It is possible to prepare interface messages to include malicious code. The attacker has to have interface-admin rights to change system messages which can then result in a XSS attack. For BlueSpice default, this is the case if you are in group sysop.
Solution
Hallo Welt! is working on an updated release.
- We recommend updating to BlueSpice 4.5.5 (not yet published).
- If an update is not possible, customers can simply deactivate the OAuth extension.
Acknowledgements
Reported by BSI.
