CVE-2023-47325
Description
A low-privileged authenticated user can access Silverpeas Core 6.3.1's Bin feature, viewing, restoring, or permanently deleting all deleted spaces.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-privileged authenticated user can access Silverpeas Core 6.3.1's Bin feature, viewing, restoring, or permanently deleting all deleted spaces.
Vulnerability
Analysis
CVE-2023-47325 is a broken access control vulnerability in the administrative "Bin" feature of Silverpeas Core 6.3.1. The root cause is that the feature does not enforce proper authorization checks; it only verifies that the user is authenticated, without checking if the user has administrative privileges required to access the bin [4]. As a result, any authenticated user, including those with low privileges, can directly access the bin's URL.
Exploitation
To exploit this vulnerability, an authenticated user simply navigates to the URL http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ViewBin. The bin page renders successfully, revealing all deleted spaces without any additional authorization [4]. No special permissions or elevated access are needed beyond being logged into the application.
Impact
Once inside the bin, the low-privileged user can restore any deleted space or permanently delete spaces. This allows an attacker to recover sensitive data that administrators intended to remove, or to permanently destroy deleted data, causing data loss. The confidentiality, integrity, and availability of deleted spaces are compromised [2][4].
Mitigation
Silverpeas has addressed this vulnerability in version 6.3.2. Users should upgrade to the latest version to apply the fix. There is no known workaround for older versions [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.silverpeas.core:silverpeas-core-webMaven | < 6.3.2 | 6.3.2 |
Affected products
2- Silverpeas/Coredescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check on the administrative "Bin" page allows any authenticated user to view and modify deleted spaces."
Attack vector
An authenticated attacker with low privileges (e.g., a standard user) can directly navigate to `http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ViewBin` [ref_id=1]. The server renders the bin page without verifying that the requester holds administrative rights, revealing all deleted spaces. The attacker can then restore or permanently delete those spaces, violating the intended access control policy [CWE-284].
Affected code
The administrative "Bin" feature at the URL path `/RjobStartPagePeas/jsp/ViewBin` lacks access control checks. The advisory does not specify the exact source file or function responsible for the missing restriction [ref_id=1].
What the fix does
The advisory states that the vulnerability is fixed in Silverpeas Core version 6.3.2 [ref_id=1]. No patch diff is provided in the bundle, so the exact code change is unknown; however, the fix presumably adds an authorization check to the "ViewBin" endpoint to ensure only administrative users can access the bin and modify deleted spaces.
Preconditions
- authAttacker must have a valid low-privilege session on the Silverpeas instance
- networkAttacker must be able to reach the /RjobStartPagePeas/jsp/ViewBin URL
Reproduction
1. Log in to Silverpeas Core 6.3.1 as a low-privileged user. 2. Navigate to `http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ViewBin`. 3. Observe that the bin renders all deleted spaces. 4. Use the provided UI controls to restore or permanently delete any deleted space [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.