CVE-2024-39031: Silverpeas Core Cross-site Scripting vulnerability

July 9, 2024 (updated July 10, 2024)

In Silverpeas Core <= 6.3.5, inside of mes agendas a user can create a new event and add it to his calendar. The user can also add other users to the event from the same domain, including administrator. A normal user can create an event with XSS payload inside Titre and Description parameters and add the administrator or any user to the event. When the other user (victim) visits his own profile (even without clicking on the event) the payload will be executed on the victim side.

References

github.com/Silverpeas/Silverpeas-Core
github.com/Silverpeas/Silverpeas-Core/commit/a0289f8a6f8b6a9ebc399973093118ddb48b77d8
github.com/advisories/GHSA-vfwh-gvf6-mff8
github.com/toneemarqus/CVE-2024-39031
nvd.nist.gov/vuln/detail/CVE-2024-39031
www.github.com/Silverpeas/Silverpeas-Core/pull/1346

Detect and mitigate CVE-2024-39031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →