| Date | 2025-09-19 |
| Severity | Medium |
| Affected | Current LTS version 5.1, < 5.1.2 |
| Fixed in | 5.1.2 |
| CVE |
CVE-2025-46703, CVE-2025-48007, CVE-2025-57880,CVE-2025-57880 |
Problem
- XSS in Extension:AtMentions
- XSS in Extension:BlueSpiceAvatars
- XSS in Extension:BlueSpiceWhoIsOnline
- XSS in Extension:CognitiveProcessDesigner
Impact assessment
- Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline - A logged in user can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
- Extension:CognitiveProcessDesigner - A user with edit permissions can execute malicious JavaScript on other users clients and therefore e.g. hijack sessions
Solution
Update to BlueSpice 5.1.2
Acknowledgements
Reported by SomeRandomDeveloper
