Skip to content

Silverpeas Core Cross-site Scripting vulnerability

Moderate severity GitHub Reviewed Published Jul 9, 2024 to the GitHub Advisory Database • Updated Jul 26, 2024

Package

org.silverpeas.core:silverpeas-core-rs (Maven)

Affected versions

<= 6.3.5

Patched versions

None
org.silverpeas.core:silverpeas-core-seb (Maven)
<= 6.3.5
None

Description

In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.

References

Published by the National Vulnerability Database Jul 9, 2024
Published to the GitHub Advisory Database Jul 9, 2024
Reviewed Jul 10, 2024
Last updated Jul 26, 2024

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2024-39031

GHSA ID

GHSA-vfwh-gvf6-mff8

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.