| Date | 2025-07-28 |
| Severity | reported 9.1, BlueSpice assessment: medium |
| Affected | MediaWiki extensions Scribunto, TabberNeue, TwoColConflict, Quiz |
| Fixed in | fix not yet available; workaround available |
| CVE | CVE-2025-53501, CVE-2025-53494, CVE-2025-53093, CVE-2025-7057 |
Problem
MediaWiki issued a security release affecting several extensions. This is also included in a BSI security advisory WID-SEC-2025-1525.
BlueSpice is mostly not affected, with the notable exception of
- Extension:Scribunto. This is shipped in all BlueSpice editions, but only enabled by default in PRO, FARM, CLOUD, ERM and CLOUDOGU edition.
- Extension:TabberNeue. This is shipped and enabled only in BlueSpice PRO, FARM, CLOUD, ERM and CLOUDOGU edition
- Extension:TwoColConflict. This is shipped and enabled in all BlueSpice editions.
- Extension:Quiz. This is shipped but disabled by default in all BlueSpice editions.
Impact assessment
Summary: BlueSpice 4.5.x is affected, but the attack vectors require elevated privileges. BlueSpice 5.1.x is not affected at all.
- Extension:Scribunto. In order to exploit the vulnerability, the user must have permission to edit the "Module" namespace.
- Extension:TabberNeue. The shipped version is not affected by the issue.
- Extension:TwoColConflict. In order to exploit the vulnerability, the user must have permission to edit the "MediaWiki" namespace.
- Extension:Quiz In order to exploit the vulnerability, the user must have permission to edit the "MediaWiki" namespace. The extension is disabled by default.
Solution
Hallo Welt! is working on an updated release.
- We recommend updating to BlueSpice 4.5.6 (not yet published).
- If an update is not possible, customers can simply deactivate the extensions "Scribunto", "TwoColConflict" and if required "Quiz".
- For the vulnerability in Extension:Scribunto, one can also lock down the edit permissions of the "Module" namespace.
Acknowledgements
Reported by BSI.
