Vulnerability Description
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Silverpeas | Silverpeas | < 6.4 |
Related Weaknesses (CWE)
References
- https://github.com/toneemarqus/CVE-2024-39031ExploitPatchThird Party Advisory
- https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346Issue TrackingPatch
- https://github.com/toneemarqus/CVE-2024-39031ExploitPatchThird Party Advisory
- https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346Issue TrackingPatch
FAQ
What is CVE-2024-39031?
CVE-2024-39031 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these...
How severe is CVE-2024-39031?
CVE-2024-39031 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-39031?
Check the references section above for vendor advisories and patch information. Affected products include: Silverpeas Silverpeas.