Moderate severityNVD Advisory· Published Sep 2, 2025· Updated Sep 2, 2025
CVE-2025-46047
CVE-2025-46047
Description
A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverpeas 6.4.1 and 6.4.2 have a user enumeration vulnerability in the ForgotPassword endpoint allowing attackers to identify valid usernames.
The vulnerability is a user enumeration issue in the forgot password functionality of Silverpeas. The /CredentialsServlet/ForgotPassword endpoint exposes different HTTP status codes depending on whether the submitted username exists. According to the commit fixing this issue [1], the application previously returned distinct messages for invalid login attempts, which was removed to prevent enumeration. However, the primary exploitation vector relies on the status code discrepancy.
An unauthenticated remote attacker can send POST requests to the vulnerable endpoint with the Login parameter set to a potential username. As demonstrated in the public proof-of-concept [3], a response with HTTP status 200 OK indicates a valid username, while a 302 Found response indicates an invalid one. This difference allows an attacker to systematically enumerate valid accounts without authentication.
Successful enumeration enables an attacker to compile a list of valid usernames, which can be leveraged in further attacks such as password guessing, phishing, or credential stuffing. The exposure of this information increases the risk of account compromise, especially if combined with weak password policies.
The vulnerability affects Silverpeas versions 6.4.1 and 6.4.2. It has been fixed in version 6.4.3, as referenced in the Silverpeas Core commit [1]. Users are strongly advised to upgrade to the latest version to mitigate this and other potential issues. No workarounds have been documented, so applying the patch is recommended.
References
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.silverpeas.core:silverpeas-coreMaven | >= 6.4.1, < 6.4.3 | 6.4.3 |
Affected products
2- Silverpeas/Silverpeasdescription
- Range: 6.4.1, 6.4.2
Patches
1c283ce13d81bBug #14829
17 files changed · +18 −126
core-api/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties+0 −3 modified@@ -22,9 +22,6 @@ # along with this program. If not, see <https://www.gnu.org/licenses/>. # -# Allow user to change his password from login page -changePwdFromLoginPageActive = false - # By default login answer to personal question is not crypted loginAnswerEncrypted = false
core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail_fr.properties+1 −3 modified@@ -27,11 +27,9 @@ newPassword.subject=Confirmation de r\u00e9initialisation de mot de passe error.subject=R\u00e9initialisation de mot de passe (erreur) admin.subject=R\u00e9initialisation de mot de passe (demande) -screen.title.changeRequested = Changer votre mot de passe screen.title.reinitRequested = R\u00e9initialisation de votre mot de passe screen.title.reinitDone = Mot de passe r\u00e9initialis\u00e9 -screen.invalidLogin = Il n'existe aucun compte pour cet identifiant.<br/>Veuillez v\u00e9rifier votre identifiant... -screen.reinitRequested = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message explique comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables. +screen.reinitRequested=Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse email associ\u00e9e \u00e0 de votre compte si celui-ci existe. Le message vous expliquera comment obtenir un nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables. <br /> <br /> Si apr\u00e8s un certain temps vous n'avez toujours pas re\u00e7u de mail, soit votre identifiant est invalide, soit la modification de votre mot de passe n'est permise (auquel cas, contactez votre administrateur). screen.reinitNotAllowed = La r\u00e9initialisation de votre mot de passe n'est pas autoris\u00e9.<br/>Veuillez contacter votre administrateur... screen.reinitDone = Un message \u00e9lectronique a \u00e9t\u00e9 envoy\u00e9 \u00e0 l'adresse \u00e9lectronique associ\u00e9e \u00e0 votre compte. Ce message contient votre nouveau mot de passe.<br/><br/>Un certain temps peut \u00eatre n\u00e9cessaire avant la r\u00e9ception des messages. N'oubliez pas de v\u00e9rifier que le message n'est pas pass\u00e9 dans votre dossier de messages ind\u00e9sirables. screen.reinitError = La r\u00e9initialisation de votre mot de passe a \u00e9chou\u00e9.<br/>Veuillez contacter votre administrateur...
core-configuration/src/main/config/properties/org/silverpeas/authentication/multilang/forgottenPasswordMail.properties+1 −3 modified@@ -27,11 +27,9 @@ newPassword.subject=Confirmation of password reset error.subject=Password reset (error) admin.subject=Password reset (request) -screen.title.changeRequested = Change your password screen.title.reinitRequested = Reset your password screen.title.reinitDone = Password reset -screen.invalidLogin = There is no account for this login. <br/> Please check it... -screen.reinitRequested = An email has been sent to the email address associated with your account. This message explains how to get a new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder. +screen.reinitRequested=An email has been sent to the email address associated with your account if this one exists. The message will explain you how to get a new password. <br/> Some time may be required prior to receiving the message. Remember to verify the message has not gone into your spam folder. <br /> <br /> If after a while you didn't receive any email, either your login is invalid or the your password change isn't allowed (in this case, contact your administrator). screen.reinitNotAllowed = Resetting your password is not allowed. <br/> Please contact your administrator ... screen.reinitDone = An email has been sent to the email address associated with your account. This message contains your new password. <br/> Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder. screen.reinitError = Resetting your password failed. <br/> Please contact your administrator ...
core-configuration/src/main/config/properties/org/silverpeas/authentication/settings/authenticationSettings.properties+0 −2 modified@@ -21,8 +21,6 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <https://www.gnu.org/licenses/>. # -# Allow user to change his password from login page -changePwdFromLoginPageActive = false # By default, login answer to personal question is not encrypted loginAnswerEncrypted = false
core-library/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties+0 −1 modified@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ? loginQuestion.2=Quelle est votre ville de naissance ? loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ? -forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended
core-library/src/test/resources/org/silverpeas/authentication/settings/authenticationSettings.properties+0 −3 modified@@ -22,9 +22,6 @@ # along with this program. If not, see <https://www.gnu.org/licenses/>. # -# Allow user to change his password from login page -changePwdFromLoginPageActive = false - # By default login answer to personal question is not crypted loginAnswerEncrypted = false
core-library/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties+0 −1 modified@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ? loginQuestion.2=Quelle est votre ville de naissance ? loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ? -forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended
core-services/chat/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties+0 −1 modified@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ? loginQuestion.2=Quelle est votre ville de naissance ? loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ? -forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended
core-services/chat/src/test/resources/org/silverpeas/lookAndFeel/generalLook.properties+0 −1 modified@@ -71,7 +71,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\u00e8re ? loginQuestion.2=Quelle est votre ville de naissance ? loginQuestion.3=Quelle est le nom de votre animal pr\u00e9f\u00e9r\u00e9 ? -forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended
core-services/workflow/src/integration-test/resources/org/silverpeas/lookAndFeel/generalLook.properties+0 −1 modified@@ -61,7 +61,6 @@ loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ? loginQuestion.2=Quelle est votre ville de naissance ? loginQuestion.3=Quelle est le nom de votre animal pr\ufffdf\ufffdr\ufffd ? -forgottenPasswordInvalidLogin = /defaultReInitPassword.jsp?Action=InvalidLogin forgottenPasswordChangeAllowed = /defaultReInitPassword.jsp?Action=FirstMailSended forgottenPasswordChangeNotAllowed = /defaultReInitPassword.jsp?Action=ChangeNotAllowed forgottenPasswordReset = /defaultReInitPassword.jsp?Action=NewPasswordSended
core-test/src/main/resources/org/silverpeas/authentication/settings/authenticationSettings.properties+0 −2 modified@@ -21,8 +21,6 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <https://www.gnu.org/licenses/>. # -# Allow user to change his password from login page -changePwdFromLoginPageActive = false # By default login answer to personal question is not encrypted loginAnswerEncrypted = false
core-war/src/main/webapp/defaultLogin.jsp+0 −29 modified@@ -112,16 +112,6 @@ } } - function changePassword() { - let form = document.getElementById("formLogin"); - if (form.elements["Login"].value.length === 0) { - alert('<fmt:message key="authentication.logon.loginMissing" />'); - } else { - form.action = '<c:url value="/CredentialsServlet/ChangePasswordFromLogin" />'; - form.submit(); - } - } - function newRegistration() { let form = document.getElementById("formLogin"); form.action = '<c:url value="/CredentialsServlet/NewRegistration" />'; @@ -246,7 +236,6 @@ <a href="#" class="<%=submitClass%>" onclick="checkForm()"><span><span><fmt:message key="authentication.logon.login.button"/></span></span></a> </p> - <% if (forgottenPwdActive || changePwdFromLoginPageActive) { %> <% if (forgottenPwdActive) { %> <p> <span class="forgottenPwd"> @@ -256,24 +245,6 @@ <a href="javascript:resetPassword()"><fmt:message key="authentication.logon.passwordReinit"/></a> <%} %> </span> - <% } %> - - <% if (changePwdFromLoginPageActive) { %> - <% if (forgottenPwdActive) { %> - <span class="separator">|</span> - <span class="changePwd"> - <% } else {%> - - <p> - <span class="changePwd"> - <% } %> - <a class="changePwd" href="javascript:changePassword()"><fmt:message key="authentication.logon.changePassword"/></a> - </span> - <% } %> - - <% if (forgottenPwdActive || changePwdFromLoginPageActive) { %> - </p> - <% } %> <% } %> </div> </div>
core-war/src/main/webapp/defaultReInitPassword.jsp+2 −4 modified@@ -37,11 +37,9 @@ String action = request.getParameter("Action"); String actionLabel = ""; - String actionTitle = reinitPasswordBundle.getString((String) request.getAttribute("title")); + String actionTitle = reinitPasswordBundle.getString("screen.title.reinitRequested"); - if ("InvalidLogin".equalsIgnoreCase(action)) { - actionLabel = reinitPasswordBundle.getString("screen.invalidLogin"); - } else if ("FirstMailSended".equalsIgnoreCase(action)) { + if ("FirstMailSended".equalsIgnoreCase(action)) { actionLabel = reinitPasswordBundle.getString("screen.reinitRequested"); } else if ("ChangeNotAllowed".equalsIgnoreCase(action)) { actionLabel = reinitPasswordBundle.getString("screen.reinitNotAllowed");
core-war/src/main/webapp/headLog.jsp+0 −2 modified@@ -69,8 +69,6 @@ // Is "forgotten password" feature active ? String pwdResetBehavior = general.getString("forgottenPwdActive", "reinit"); boolean forgottenPwdActive = !"false".equalsIgnoreCase(pwdResetBehavior); - boolean changePwdFromLoginPageActive = - authenticationSettings.getBoolean("changePwdFromLoginPageActive", false); boolean newRegistrationActive = registrationSettings.isUserSelfRegistrationEnabled(); boolean virtualKeyboardActive = ResourceLocator.getGeneralSettingBundle().getBoolean("web.tool.virtualKeyboard", false);
core-web/src/main/java/org/silverpeas/core/web/authentication/credentials/ChangePasswordFromLoginHandler.java+0 −55 removed@@ -1,55 +0,0 @@ -/* - * Copyright (C) 2000 - 2024 Silverpeas - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * As a special exception to the terms and conditions of version 3.0 of - * the GPL, you may redistribute this Program in connection with Free/Libre - * Open Source Software ("FLOSS") applications as described in Silverpeas's - * FLOSS exception. You should have received a copy of the text describing - * the FLOSS exception, and it is also available here: - * "https://www.silverpeas.org/legal/floss_exception.html" - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <https://www.gnu.org/licenses/>. - */ -package org.silverpeas.core.web.authentication.credentials; - -import org.silverpeas.core.annotation.Service; - -import javax.servlet.http.HttpServletRequest; - -/** - * Navigation case : user asks to change his password from login page. - * @author ndupont - */ -@Service -public class ChangePasswordFromLoginHandler extends CredentialsFunctionFromLoginHandler { - - @Override - public String getFunction() { - return "ChangePasswordFromLogin"; - } - - @Override - public String doAction(HttpServletRequest request) { - LoginData loginData = fetchLoginData(request); - if (loginData.isInvalid()) { - // Login incorrect. - request.setAttribute("login", loginData.getLoginId()); - request.setAttribute("domain", loginData.getDomainName()); - request.setAttribute("title", "screen.title.changeRequested"); - return getGeneral().getString("forgottenPasswordChangeNotAllowed"); - } - - return getGeneral().getString("changePasswordFromLoginPage", "/defaultChangePassword.jsp"); - } -}
core-web/src/main/java/org/silverpeas/core/web/authentication/credentials/ForgotPasswordHandler.java+1 −2 modified@@ -44,13 +44,12 @@ public String getFunction() { @Override public String doAction(HttpServletRequest request) { - request.setAttribute("title", "screen.title.reinitRequested"); LoginData loginData = fetchLoginData(request); if (loginData.isInvalid()) { // Login incorrect. request.setAttribute("login", loginData.getLoginId()); request.setAttribute("domain", loginData.getDomainName()); - return getGeneral().getString("forgottenPasswordChangeNotAllowed"); + return getGeneral().getString("forgottenPasswordChangeAllowed"); } ValidLoginData validLogin = (ValidLoginData) loginData;
core-web-test/src/main/resources/org/silverpeas/lookAndFeel/generalLook.properties+13 −13 modified@@ -21,41 +21,41 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <https://www.gnu.org/licenses/>. # -// Page de login par d\ufffdfaut +# Page de login par d\ufffdfaut loginPage = -// Feuille de style par d\ufffdfaut +# Feuille de style par d\ufffdfaut defaultStyleSheet = -// Feuille de style sp\ufffdcifique au login +# Feuille de style sp\ufffdcifique au login defaultLoginStyleSheet = -// Les logos (login et topBar) +# Les logos (login et topBar) logo = -// Id de l'utilisateur anonyme +# Id de l'utilisateur anonyme anonymousId= -// Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false) +# Activation de l'oubli de mot de passe (forgottenPwdActive = personalQuestion || reinit || false) forgottenPwdActive = reinit userResetPasswordPage = /defaultResetPassword.jsp -// Question personnelle (en cas d'oubli de mot de passe) +# Question personnelle (en cas d'oubli de mot de passe) userLoginQuestionEnabled=true userLoginQuestionPage=/defaultLoginQuestion.jsp -// Si l'utilisateur n'a pas encore rempli sa question personnelle, -// on peut le forcer \ufffd la remplir +# Si l'utilisateur n'a pas encore rempli sa question personnelle, +# on peut le forcer \ufffd la remplir userLoginQuestionMandatory=true userLoginQuestionSelectionPage=/defaultLoginQuestionSelection.jsp -// fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle : -// si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois -// on l'oblige \ufffd changer son mot de passe +# fonctionnalit\ufffd associ\ufffde \ufffd la question personnelle : +# si l'utilisateur remplit sa question personnelle pour la premi\ufffdre fois +# on l'oblige \ufffd changer son mot de passe userLoginForcePasswordChange=false userLoginForcePasswordChangePage=/defaultForcePasswordChange.jsp -// Liste des questions personnelles propos\ufffdes +# Liste des questions personnelles propos\ufffdes loginQuestion.count=3 loginQuestion.1=Quelle est le nom de jeune fille de votre m\ufffdre ? loginQuestion.2=Quelle est votre ville de naissance ?
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.