Lucene search

GitHub Advisory DatabaseGHSA-G27C-W2V7-88XP

HistoryDec 13, 2023 - 3:30 p.m.

Cross Site Request Forgery in Silverpeas

2023-12-1315:30:58

CWE-79

CWE-352

GitHub Advisory Database

github.com

silverpeas

core

cross site request forgery

csrf

privilege escalation

administrator

user

application

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.001

Percentile

24.1%

JSON

The “userModify” feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.

Affected configurations

Vulners

Node

org.silverpeas.coresilverpeas-core-webRange<6.3.2

VendorProductVersionCPE
org.silverpeas.coresilverpeas-core-web*cpe:2.3:a:org.silverpeas.core:silverpeas-core-web:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.silverpeas.core	silverpeas-core-web	*	cpe:2.3:a:org.silverpeas.core:silverpeas-core-web::::::::

References

silverpeas.com

github.com/advisories/GHSA-g27c-w2v7-88xp

github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47322

nvd.nist.gov/vuln/detail/CVE-2023-47322

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.001

Percentile

24.1%

JSON

Related for GHSA-G27C-W2V7-88XP