Stored Cross-Site Scripting Vulnerability in Silverpeas by Silverpeas
CVE-2025-45055

5.4MEDIUM

Key Information:

Vendor: Silverpeas
Status: Silverpeas
Vendor: CVE Published:; 9 June 2025

What is CVE-2025-45055?

Silverpeas 6.4.2 contains a stored cross-site scripting (XSS) vulnerability within its event management module. The flaw allows authenticated users to upload malicious SVG files as event attachments. When these attachments are viewed by an administrator, the embedded JavaScript is executed in the admin's session, potentially enabling attackers to escalate their privileges by creating a new administrator account. The vulnerability emerges from inadequate sanitization of the SVG files and weak Cross-Site Request Forgery (CSRF) protections.

References

https://github.com/Silverpeas/Silverpeas-Core/pull/1394

https://medium.com/@mingihongkim/privilege-escalation-via...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2025
Vulnerability Reserved
Apr 22, 2025