Silverpeas: community verdicts
10 notable / known-exploited Silverpeas CVEs the community has triaged.
- CVE-2024-42850CRIT 9.8Real · low riskEPSS 1%
An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.
- CVE-2024-42849MED 6.5EPSS 1%
An issue in Silverpeas v.6.4.2 and lower allows a remote attacker to cause a denial of service via the password change function.
- CVE-2023-47323HIGH 7.5Real · low riskEPSS 1%
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.
- CVE-2023-47320HIGH 8.1Real · low riskEPSS 1%
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below.
- CVE-2023-47321MED 4.9EPSS 1%
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets.
- CVE-2023-47324MED 5.4EPSS 1%
Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature.
- CVE-2023-47327MED 4.3EPSS 1%
The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL.
- CVE-2023-47325MED 5.4EPSS 0%
Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.
- CVE-2023-47322HIGH 8.8Real · low riskEPSS 0%
The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.
- CVE-2023-47326HIGH 8.8Real · low riskEPSS 0%
Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function.