{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"title": "BlueSpice Security Advisory - October 2025",
"publisher": {
"name": "BlueSpice",
"contact_details": "Reported by various community members",
"category": "vendor",
"namespace": "https://www.bluespice.com"
},
"tracking": {
"id": "BSSA-2025-05",
"status": "final",
"revision_history": [
{
"number": "1.0.0",
"date": "2025-10-27T01:00:00.000Z",
"summary": "Initial release"
}
],
"generator": {
"date": "2025-10-27T08:42:29.936Z",
"engine": {
"version": "2.5.38",
"name": "Secvisogram"
}
},
"current_release_date": "2025-10-27T11:00:00.000Z",
"initial_release_date": "2025-10-27T11:00:00.000Z",
"version": "1.0.0"
},
"notes": [
{
"title": "False positives in 4.5.7 audit",
"text": "Audit tools may detect CVE-2025-53625 and CVE-2025-59839 in builds of 4.5.7. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the 4.5.7 release do contain the necessary fixes for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.",
"category": "other",
"audience": "Sysadmins"
}
],
"acknowledgments": [
{
"names": [
"Various community members"
],
"organization": "BlueSpice",
"summary": "Reported by various community members"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61634",
"title": "Denial Of Service in MediaWiki Core / REST",
"notes": [
{
"type": "general",
"text": "Low severity. No mitigation provided.",
"category": "summary",
"title": "Summay"
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61636",
"title": "XSS in MediaWiki Core / HTMLForm",
"notes": [
{
"type": "general",
"text": "Low severity. Affected code not used in BlueSpice by default."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5"
]
}
},
{
"cve": "CVE-2025-61637",
"title": "XSS in MediaWiki Core / Preview",
"notes": [
{
"type": "general",
"text": "Low severity. Requires admin privileges (NS_MEDIAWIKI)."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5"
]
}
},
{
"cve": "CVE-2025-61638",
"title": "XSS in MediaWiki Core / Various",
"notes": [
{
"type": "general",
"text": "High severity. Part of standard editing functionality."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61639",
"title": "Information Disclosure in MediaWiki Core / RecentChanges",
"notes": [
{
"type": "general",
"text": "Medium severity. No mitigation provided."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-61655",
"title": "XSS in Extension:VisualEditor",
"notes": [
{
"type": "general",
"text": "High severity. Part of standard editing functionality. Mitigation: Disable Extension:VisualEditor."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3",
"BlueSpice 4.5.7"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-59839",
"title": "XSS in Extension:EmbedVideo",
"notes": [
{
"type": "general",
"text": "High severity. Mitigation: Disable Extension:EmbedVideo."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
},
{
"cve": "CVE-2025-54370",
"title": "Server-side Request Forgery in Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics, and Extension:BlueSpiceUEModuleTable2Excel",
"notes": [
{
"type": "general",
"text": "Medium severity. Mitigation: Disable the affected extensions."
}
],
"product_status": {
"fixed": [
"BlueSpice 5.1.3"
],
"known_affected": [
"BlueSpice 5",
"BlueSpice 4"
]
}
}
]
}
