BSSA-2025-06

Date 2025-10-22
Severity
Affected Current LTS version 5.1, < 5.1.3; Legacy version 4.5, < 4.5.7
Fixed in 5.1.3; 4.5.7
CVE

Problem

  • CVE-2025-61634: Core/REST → Denial Of Service → BlueSpice 5 affected
  • CVE-2025-61636: Core/HTMLForm → XSS → BlueSpice 5 affected
  • CVE-2025-61637: Core/Preview →XSS → BlueSpice 5 affected
  • CVE-2025-61638: Core/Various →XSS → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61639: Core/RecentChanges → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61640: Core/RecentChanges → XSS → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61641: Core/ActionAPI → Denial Of Service → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61642: Core/HTMLForm → XSS → BlueSpice 5 affected
  • CVE-2025-61643: Core/RecentChanges (Feed) → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61646: Core/RecentChanges+Watchlist → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61635: Extension:ConfirmEdit → Part of distribution, but disabled by default; Not affected
  • CVE-2025-61652, CVE-2025-11175: Extension:DiscussionTools → Information Disclosure → Part of distribution, but disabled by default → Not affected
  • CVE-2025-11173: Extension:OATHAuth → Bypass authn at content check → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61653: Extension:TextExtracts → Information Disclosure → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61655, CVE-2025-61656: Extension:VisualEditor →XSS → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-61657: Skin:Vector - Part of distribution, but disabled by default; Not affected
  • CVE-2025-61638: Parsoid → XSS → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-53625: Extension:DynamicPageList → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-59839: Extension:EmbedVideo → BlueSpice 5 affected, BlueSpice 4 affected
  • CVE-2025-54370: Extension:DataTransfer, Extension:BlueSpiceExtendedStatistics and Extension:BlueSpiceUEModuleTable2Excel → BlueSpice 5 affected, BlueSpice 4 affected

Impact assessment

TDB

Solution

  • Update to BlueSpice 5.1.3
  • Update to BlueSpice 4.5.7
False positives in 4.5.7 audit Audit tools may detect CVE-2025-53625 and CVE-2025-59839 in builds of 4.5.7. This is because there are no fixed compatible versions of the affected components available. The versions bundled with the 4.5.7 release do contain the neccessary fixes for those issues as backports. It is just their version numbers are not known to be fixed by the vulnerability databases.


Acknowledgements

Reported by various community members

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2025-06&oldid=13157"