Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ZndoLWd2ZjYtbWZmOM4AA9vd
Silverpeas Core Cross-site Scripting vulnerability
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.
Permalink: https://github.com/advisories/GHSA-vfwh-gvf6-mff8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ZndoLWd2ZjYtbWZmOM4AA9vd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-vfwh-gvf6-mff8, CVE-2024-39031
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39031
- https://github.com/toneemarqus/CVE-2024-39031
- https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346
- https://github.com/Silverpeas/Silverpeas-Core/commit/a0289f8a6f8b6a9ebc399973093118ddb48b77d8
- https://github.com/advisories/GHSA-vfwh-gvf6-mff8
Blast Radius: 1.0
Affected Packages
maven:org.silverpeas.core:silverpeas-core-seb
Affected Version Ranges: <= 6.3.5No known fixed version
maven:org.silverpeas.core:silverpeas-core-rs
Affected Version Ranges: <= 6.3.5No known fixed version