We highly recommend to update or patch your existing BlueSpice installations.
I want to thank Frederic for his support! And I’d like to take this chance to sketch out how we handle vulnerability reports. Usually, bugs are reported in our public forum. However, reporting a security related issue also means publishing the vulnerability right away, without giving us the chance to patch the software. Because of this, I ask you to report security issues directly to me by email: email@example.com. If possible, please encrypt the actual description of the vulnerability with GPG. My public key can be found on the MIT keyserver. We will then contact you, verify the vulnerability and provide a patch. After the patch is released, we will request a CVE number to have this properly documented. Of course, credits for finding the vulnerability go to the person that reported it.