CVE-2025-57880 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-57880?

CVE-2025-57880 has a CVSS score of 5.4 (MEDIUM). This CVE describes a cross-site scripting (XSS) vulnerability in BlueSpice's WhoIsOnline extension due to improper output encoding. Attackers can inject malicious scripts that execute in users' browsers when viewing affected pages. This affects BlueSpice installations running versions 5.0 through 5.1.1.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in BlueSpice's WhoIsOnline extension due to improper output encoding. Attackers can inject malicious scripts that execute in users' browsers when viewing affected pages. This affects BlueSpice installations running versions 5.0 through 5.1.1.

💻 Affected Systems

Products:

BlueSpice MediaWiki distribution
BlueSpiceWhoIsOnline extension

Versions: 5.0 through 5.1.1

Operating Systems: All platforms running BlueSpice

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the WhoIsOnline extension which is typically enabled by default in BlueSpice installations.

📦 What is this software?

Bluespice by Hallowelt

View all CVEs affecting Bluespice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as authenticated users, deface the wiki, or redirect users to malicious sites, potentially leading to complete account compromise.

🟠

Likely Case

Attackers inject malicious JavaScript to steal session tokens or credentials from authenticated users, leading to unauthorized access to the wiki system.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to minor content manipulation with no significant security impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to have some level of access to inject malicious content, but detailed exploitation methods are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BlueSpice 5.1.2 or later

Vendor Advisory: https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05

Restart Required: No

Instructions:

1. Update BlueSpice to version 5.1.2 or later. 2. Alternatively, update only the BlueSpiceWhoIsOnline extension to the patched version. 3. Clear any caches after updating.

🔧 Temporary Workarounds

Disable WhoIsOnline Extension

all

Temporarily disable the vulnerable extension until patching is possible

Edit LocalSettings.php and add: wfLoadExtension( 'BlueSpiceWhoIsOnline' ); // Comment out or remove this line

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Use web application firewall (WAF) rules to block XSS payloads targeting the WhoIsOnline functionality

🔍 How to Verify

Check if Vulnerable:

Check BlueSpice version in the wiki footer or via Special:Version page. If version is between 5.0 and 5.1.1 inclusive, the system is vulnerable.

Check Version:

Check Special:Version page in your BlueSpice installation or examine the wiki footer for version information.

Verify Fix Applied:

After updating, verify the version shows 5.1.2 or later. Test the WhoIsOnline functionality to ensure it still works without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in request logs
Multiple requests to WhoIsOnline-related endpoints with suspicious parameters

Network Indicators:

Unexpected outbound connections from wiki users to external domains
Suspicious JavaScript execution patterns in browser traffic

SIEM Query:

source="apache_access" OR source="nginx_access" AND (uri="*WhoIsOnline*" OR uri="*SpecialWhoIsOnline*") AND (query="*<script*" OR query="*javascript:*" OR query="*onload=*" OR query="*onerror=*")

📊 Metadata

CVE ID: CVE-2025-57880

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-116

EPSS Score: 0.05% exploit probability (16.9th percentile)

Published: September 19, 2025

Last Updated: September 22, 2025

🔗 References

https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-57880, you might also want to check these: