Maven package
org.silverpeas.core/silverpeas-core-web
pkg:maven/org.silverpeas.core/silverpeas-core-web
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30139 | Med | 6.1 | <= 6.4-feature13197 | — | Apr 22, 2026 | A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input. | |
| CVE-2024-39031 | — | <= 6.3.5 | — | Jul 9, 2024 | In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Descrip | ||
| CVE-2023-47327 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL. | ||
| CVE-2023-47325 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces. | ||
| CVE-2023-47324 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature. | ||
| CVE-2023-47323 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators. | ||
| CVE-2023-47322 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an | ||
| CVE-2023-47321 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets. | ||
| CVE-2023-47320 | — | < 6.3.2 | 6.3.2 | Dec 13, 2023 | Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. |
- affected <= 6.4-feature13197
A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in the context of a user's browser via crafted input.
- CVE-2024-39031Jul 9, 2024affected <= 6.3.5
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Descrip
- CVE-2023-47327Dec 13, 2023affected < 6.3.2fixed 6.3.2
The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL.
- CVE-2023-47325Dec 13, 2023affected < 6.3.2fixed 6.3.2
Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.
- CVE-2023-47324Dec 13, 2023affected < 6.3.2fixed 6.3.2
Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature.
- CVE-2023-47323Dec 13, 2023affected < 6.3.2fixed 6.3.2
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.
- CVE-2023-47322Dec 13, 2023affected < 6.3.2fixed 6.3.2
The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an
- CVE-2023-47321Dec 13, 2023affected < 6.3.2fixed 6.3.2
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets.
- CVE-2023-47320Dec 13, 2023affected < 6.3.2fixed 6.3.2
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users.