Security:Security Advisories: Difference between revisions

Back to version history
Browse history interactively
← Older edit
VisualWikitext
No edit summary
Tag: 2017 source edit
No edit summary
 
(16 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{| class="wikitable" style="width:100%;"
{| class="wikitable sortable" style="width:100%;"
!Release name
! style="" |Release name
!Release date
! style="" |Release date
!Title
! style="" |Title
!References
! style="" |References
!Summary
! style="" |Summary
!Severity
|-
|-
|[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
|[[Security:Security Advisories/BSSA-2025-07]]
|2022-01-31
|2025-12-10
|XSS attack vector in Search Center
|Security vulnerability in BlueSpice Search container.
|[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
|[https://avd.aquasec.com/nvd/2025/cve-2025-66516 CVE-2025-66516]
|JavaScript in search field is reflected back to the browser.
|XML Entity Injection
| style="" class="col-green-bg" |Low
|-
|-
|[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
|[[Security:Security Advisories/BSSA-2025-06|BSSA-2025-06]]
|2022-11-15
|2025-10-28
|XSS attack vector on regular pages
|Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution
|[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
|[https://www.cve.org/CVERecord?id=CVE-2024-56171 CVE-2024-56171], [https://www.cve.org/CVERecord?id=CVE-2025-3277 CVE-2025-3277], [https://www.cve.org/CVERecord?id=CVE-2025-6965 CVE-2025-6965], [https://www.cve.org/CVERecord?id=CVE-2025-11173 CVE-2025-11173], [https://www.cve.org/CVERecord?id=CVE-2025-11175 CVE-2025-11175],
|Arbitrary HTML injection through the 'title' parameter
[https://www.cve.org/CVERecord?id=CVE-2025-53625 CVE-2025-53625],
[https://www.cve.org/CVERecord?id=CVE-2025-54370 CVE-2025-54370],
[https://www.cve.org/CVERecord?id=CVE-2025-54874 CVE-2025-54874],
[https://www.cve.org/CVERecord?id=CVE-2025-59839 CVE-2025-59839],
[https://www.cve.org/CVERecord?id=CVE-2025-61634 CVE-2025-61634],
[https://www.cve.org/CVERecord?id=CVE-2025-61635 CVE-2025-61635],
[https://www.cve.org/CVERecord?id=CVE-2025-61636 CVE-2025-61636],
[https://www.cve.org/CVERecord?id=CVE-2025-61637 CVE-2025-61637],
[https://www.cve.org/CVERecord?id=CVE-2025-61638 CVE-2025-61638],
[https://www.cve.org/CVERecord?id=CVE-2025-61639 CVE-2025-61639],
[https://www.cve.org/CVERecord?id=CVE-2025-61640 CVE-2025-61640],
[https://www.cve.org/CVERecord?id=CVE-2025-61641 CVE-2025-61641],
[https://www.cve.org/CVERecord?id=CVE-2025-61642 CVE-2025-61642],
[https://www.cve.org/CVERecord?id=CVE-2025-61643 CVE-2025-61643],
[https://www.cve.org/CVERecord?id=CVE-2025-61646 CVE-2025-61646],
[https://www.cve.org/CVERecord?id=CVE-2025-61652 CVE-2025-61652],
[https://www.cve.org/CVERecord?id=CVE-2025-61653 CVE-2025-61653],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61655 CVE-2025-61655],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61656 CVE-2025-61656],
[https://www.cve.org/CVERecord?id=CVE-2025-61657 CVE-2025-61657],
[https://www.cve.org/CVERecord?id=CVE-2025-7458 CVE-2025-7458]
|Denial Of Service,
Cross-Site Scripting (XSS),
Information Disclosure,
Bypass authn at content check,
Server-side Request Forgery,
Arbitrary Code Execution,
Memory Corruption,
Use-After-Free,
Arbitrary SQL Execution
| style="" class="col-red-bg" |High
|-
|-
|[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
|[[Security:Security Advisories/BSSA-2025-05|BSSA-2025-05]]
|2022-11-15
|2025-09-19
|XSS attack vector on regular pages
|XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner
|[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
|[https://www.cve.org/CVERecord?id=CVE-2025-46703 CVE-2025-46703], [https://www.cve.org/CVERecord?id=CVE-2025-48007 CVE-2025-48007], [https://www.cve.org/CVERecord?id=CVE-2025-57880 CVE-2025-57880], [https://www.cve.org/CVERecord?id=CVE-2025-58114 CVE-2025-58114]
|Arbitrary HTML injection through main navigation
|
| style="" class="col-orange-bg" |Medium
|-
|-
|[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
|[[Security:Security Advisories/BSSA-2025-04|BSSA-2025-04]]
|2022-11-15
|2025-09-18
|XSS attack vector on regular pages
|Security vulnerabilities in services <code>bluespice/search</code>, <code>bluespice/formular</code> and <code>bluespice/wiki</code>
|[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|[https://nvd.nist.gov/vuln/detail/CVE-2025-54988 CVE-2025-54988], [https://avd.aquasec.com/nvd/2025/cve-2025-7783 CVE-2025-7783], [https://avd.aquasec.com/nvd/cve-2025-58050 CVE-2025-58050], [https://avd.aquasec.com/nvd/cve-2025-49794 CVE-2025-49794], [https://avd.aquasec.com/nvd/cve-2025-49796 CVE-2025-49796]
|Arbitrary HTML injection through user preferences
|Denial-of-Service, Information Disclosure
| style="" class="col-green-bg" |Low
|-
|-
|[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
|[[Security:Security Advisories/BSSA-2025-03|BSSA-2025-03]]
|2022-11-15
|2025-07-28
|XSS attack vector on regular pages
|Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
|[https://www.cve.org/CVERecord?id=CVE-2025-53501 CVE-2025-53501], [https://www.cve.org/CVERecord?id=CVE-2025-53494 CVE-2025-53494], [https://www.cve.org/CVERecord?id=CVE-2025-53093 CVE-2025-53093], [https://www.cve.org/CVERecord?id=CVE-2025-7057 CVE-2025-7057]
|Arbitrary HTML injection through the book navigation
|Information Disclosure,
| style="" class="col-orange-bg" |Medium
|-
|-
|[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |[[Security:Security Advisories/BSSA-2025-02|BSSA-2025-02]]
|2022-11-15
| style="" |2025-04-17
|XSS attack vector on regular pages
| style="" |Security vulnerabilities in Extension:OAuth
|[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-32068 CVE-2025-32068], [https://www.cve.org/CVERecord?id=CVE-2025-32074 CVE-2025-32074]
|Arbitrary HTML injection through the custom menu
| style="" |Allows unauthorized access to the wiki, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
|-
|[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |[[Security:Security Advisories/BSSA-2025-01|BSSA-2025-01]]
|2022-11-15
| style="" |2025-01-20
|XSS attack vector on regular pages
| style="" |Security vulnerabilities in Extension:DataTransfer
|[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |[https://www.cve.org/CVERecord?id=CVE-2025-23081 CVE-2025-23081]
|Arbitrary HTML injection through personal menu items
| style="" |Allows Cross Site Request Forgery, Cross-Site Scripting (XSS)
| style="" class="col-orange-bg" |Medium
|-
|-
|[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
|[[Security:Security Advisories/BSSA-2023-02|BSSA-2023-02]]
|2022-11-15
|2023-10-30
|XSS attack vector on regular pages
|Security vulnerabilities in Extension:BlueSpiceAvatars
|[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|Arbitrary HTML injection through use of interface elements
|Allows Cross-Site Scripting (XSS)
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2023-01|BSSA-2023-01]]
| style="" |2023-07-25
| style="" |Ghostscript vulnerability
| style="" |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
| style="" |Code can be executed on the server via a manipulated PDF
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
| style="" |Arbitrary HTML injection through use of interface elements
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
| style="" |Arbitrary HTML injection through personal menu items
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
| style="" |Arbitrary HTML injection through the custom menu
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
| style="" |Arbitrary HTML injection through the book navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
| style="" |Arbitrary HTML injection through user preferences
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
| style="" |Arbitrary HTML injection through main navigation
| style="" class="col-green-bg" |Low
|-
| style="" |[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
| style="" |2022-11-15
| style="" |XSS attack vector on regular pages
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
| style="" |Arbitrary HTML injection through the 'title' parameter
| style="" class="col-orange-bg" |Medium
|-
| style="" |[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
| style="" |2022-01-31
| style="" |XSS attack vector in Search Center
| style="" |[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
| style="" |JavaScript in search field is reflected back to the browser.
| style="" class="col-orange-bg" |Medium
|}
|}

Latest revision as of 08:59, 10 December 2025

Release name Release date Title References Summary Severity
Security:Security Advisories/BSSA-2025-07 2025-12-10 Security vulnerability in BlueSpice Search container. CVE-2025-66516 XML Entity Injection Low
BSSA-2025-06 2025-10-28 Security vulnerabilities in various MediaWiki extensions that are actually part of the BlueSpice distribution CVE-2024-56171, CVE-2025-3277, CVE-2025-6965, CVE-2025-11173, CVE-2025-11175,

CVE-2025-53625, CVE-2025-54370, CVE-2025-54874, CVE-2025-59839, CVE-2025-61634, CVE-2025-61635, CVE-2025-61636, CVE-2025-61637, CVE-2025-61638, CVE-2025-61639, CVE-2025-61640, CVE-2025-61641, CVE-2025-61642, CVE-2025-61643, CVE-2025-61646, CVE-2025-61652, CVE-2025-61653, CVE-2025-61655, CVE-2025-61655, CVE-2025-61656, CVE-2025-61656, CVE-2025-61657, CVE-2025-7458

Denial Of Service,

Cross-Site Scripting (XSS), Information Disclosure, Bypass authn at content check, Server-side Request Forgery, Arbitrary Code Execution, Memory Corruption, Use-After-Free, Arbitrary SQL Execution

High
BSSA-2025-05 2025-09-19 XSS in Extension:AtMentions, Extension:BlueSpiceAvatars, Extension:BlueSpiceWhoIsOnline and Extension:CognitiveProcessDesigner CVE-2025-46703, CVE-2025-48007, CVE-2025-57880, CVE-2025-58114 Medium
BSSA-2025-04 2025-09-18 Security vulnerabilities in services bluespice/search, bluespice/formular and bluespice/wiki CVE-2025-54988, CVE-2025-7783, CVE-2025-58050, CVE-2025-49794, CVE-2025-49796 Denial-of-Service, Information Disclosure Low
BSSA-2025-03 2025-07-28 Security vulnerabilities in Extension:Scribunto, Extension:TabberNeue, Extension:TwoColConflict and Extension:Quiz CVE-2025-53501, CVE-2025-53494, CVE-2025-53093, CVE-2025-7057 Information Disclosure, Medium
BSSA-2025-02 2025-04-17 Security vulnerabilities in Extension:OAuth CVE-2025-32068, CVE-2025-32074 Allows unauthorized access to the wiki, Cross-Site Scripting (XSS) Medium
BSSA-2025-01 2025-01-20 Security vulnerabilities in Extension:DataTransfer CVE-2025-23081 Allows Cross Site Request Forgery, Cross-Site Scripting (XSS) Medium
BSSA-2023-02 2023-10-30 Security vulnerabilities in Extension:BlueSpiceAvatars CVE-2023-42431 Allows Cross-Site Scripting (XSS) Low
BSSA-2023-01 2023-07-25 Ghostscript vulnerability CVE-2023-36664 Code can be executed on the server via a manipulated PDF Medium
BSSA-2022-08 2022-11-15 XSS attack vector on regular pages CVE-2022-3895 Arbitrary HTML injection through use of interface elements Medium
BSSA-2022-07 2022-11-15 XSS attack vector on regular pages CVE-2022-3958 Arbitrary HTML injection through personal menu items Medium
BSSA-2022-06 2022-11-15 XSS attack vector on regular pages CVE-2022-3893 Arbitrary HTML injection through the custom menu Low
BSSA-2022-05 2022-11-15 XSS attack vector on regular pages CVE-2022-42001 Arbitrary HTML injection through the book navigation Low
BSSA-2022-04 2022-11-15 XSS attack vector on regular pages CVE-2022-41789, CVE-2022-41814, CVE-2022-42000 Arbitrary HTML injection through user preferences Low
BSSA-2022-03 2022-11-15 XSS attack vector on regular pages CVE-2022-41611 Arbitrary HTML injection through main navigation Low
BSSA-2022-02 2022-11-15 XSS attack vector on regular pages CVE-2022-2511 Arbitrary HTML injection through the 'title' parameter Medium
BSSA-2022-01 2022-01-31 XSS attack vector in Search Center CVE-2022-2510 JavaScript in search field is reflected back to the browser. Medium
Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories&oldid=13661"