CVE-2025-46703
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into BlueSpice wiki pages through the AtMentions extension. When exploited, it enables cross-site scripting (XSS) attacks that can steal user sessions, deface content, or perform actions as authenticated users. It affects all BlueSpice installations running versions 5.0 through 5.1.1 with the AtMentions extension enabled.
💻 Affected Systems
- BlueSpice MediaWiki with AtMentions extension
📦 What is this software?
Bluespice by Hallowelt
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over wiki administration, exfiltrate sensitive data, or deploy malware to users' browsers.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing sites, or deface wiki content.
If Mitigated
With proper input validation and output encoding, the attack surface is reduced, but the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires the ability to inject malicious content into wiki pages, typically through editing privileges or compromised accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BlueSpice 5.1.2 or later
Vendor Advisory: https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05
Restart Required: No
Instructions:
1. Backup your BlueSpice installation and database. 2. Update BlueSpice to version 5.1.2 or later via the MediaWiki update mechanism or manual installation. 3. Verify the AtMentions extension is updated as part of the core update. 4. Clear any caches and test functionality.
🔧 Temporary Workarounds
Disable AtMentions Extension
allTemporarily disable the vulnerable extension until patching is possible.
Edit LocalSettings.php and add: wfLoadExtension( 'BlueSpiceAtMentions' ); // Comment out or remove this line
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution and mitigate XSS impact.
Add to web server configuration or LocalSettings.php: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Adjust directives based on your specific needs.
🧯 If You Can't Patch
- Restrict editing privileges to trusted users only to limit attack surface.
- Implement web application firewall (WAF) rules to block common XSS payloads in user input.
🔍 How to Verify
Check if Vulnerable:
Check BlueSpice version in the wiki footer or via Special:Version page; if version is between 5.0 and 5.1.1 inclusive, and AtMentions extension is enabled, the system is vulnerable.Check Version:
Check the wiki footer or visit Special:Version in your BlueSpice installation.Verify Fix Applied:
After updating, confirm version is 5.1.2 or later on Special:Version page and test AtMentions functionality for proper encoding of user inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual edit patterns in wiki logs, especially with script tags or JavaScript in content.
- Multiple failed login attempts followed by content edits.
Network Indicators:
- Outbound connections to suspicious domains from wiki pages.
- Unexpected JavaScript execution in browser developer tools.
SIEM Query:
source="bluespice_logs" AND (event="edit" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:"))