Cross-Site Scripting Vulnerability in Silverpeas Core Product
CVE-2024-39031

Currently unrated

Key Information:

Vendor

Silverpeas

Status
Silverpeas Core
Vendor
CVE Published:
9 July 2024

Badges

👾 Exploit Exists

What is CVE-2024-39031?

In Silverpeas Core versions up to 6.3.5, an XSS vulnerability exists within the Mes Agendas module. Users with standard access can create events and invite others, including administrators. By injecting malicious payloads into the 'Titre' and 'Description' fields during event creation, the attacker can execute arbitrary scripts on the profiles of invited users without any interaction. This vulnerability poses significant risks as it allows attackers to target not only standard users but also administrators within the same domain, leading to potential data compromise and unauthorized actions.

References

https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346
https://github.com/toneemarqus/CVE-2024-39031

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

.