CVE-2026-24732

Summary

Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.

HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

Affected Software

VendorProductVersion RangeStatus
Hallo Welt! GmbHBlueSpice5.1 <= 5.1.3affected
Hallo Welt! GmbHBlueSpice5.2 <= 5.2.0affected

Weaknesses

  • CWE-552: CWE-552 Files or Directories Accessible to External Parties
  • CWE-732: CWE-732 Incorrect Permission Assignment for Critical Resource

Workarounds

Make sure $wgGroupPermissions['*']['read'] is set to false in the  LocalSettings.php.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References