CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47322
https://notcve.org/view.php?id=CVE-2023-47322
13 Dec 2023 — The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application. La función "userModify" de Silverpeas Core 6.3.1 es vulnerable a cross-site request forgery (CSRF), lo que conduce a una escalada de privilegios. Si un administrador accede a una URL maliciosa ... • http://silverpeas.com • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47323
https://notcve.org/view.php?id=CVE-2023-47323
13 Dec 2023 — The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators. La función de notificación/mensajería de Silverpeas Core 6.3.1 no impone control de acceso en el parámetro ID. Esto permite a un atacante leer todos los mensajes enviados entre otros usuarios; incluidos los enviados únicamente a administradores. • http://silverpeas.com •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47326
https://notcve.org/view.php?id=CVE-2023-47326
13 Dec 2023 — Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. Silverpeas Core 6.3.1 es vulnerable a la cross-site request forgery (CSRF) a través de la función Domain SQL Create. • http://silverpeas.com • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47327
https://notcve.org/view.php?id=CVE-2023-47327
13 Dec 2023 — The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL. La función "Crear un espacio" en Silverpeas Core 6.3.1 está reservada para uso de administradores. Esta función sufre un control de acceso roto, lo que permite a cualquier usuario autenticado crear un espacio navegando a la URL correcta. • http://silverpeas.com •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47320
https://notcve.org/view.php?id=CVE-2023-47320
13 Dec 2023 — Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below. Silverpeas Core 6.3.1 es vulnerable a un control de acceso incorrecto. • http://silverpeas.com •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47321
https://notcve.org/view.php?id=CVE-2023-47321
13 Dec 2023 — Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets. Silverpeas Core 6.3.1 es vulnerable a un control de acceso incorrecto a través del "Porlet Deployer", que permite a los administradores implementar portlets .WAR. • http://silverpeas.com •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47324
https://notcve.org/view.php?id=CVE-2023-47324
13 Dec 2023 — Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature. Silverpeas Core 6.3.1 es vulnerable a Cross Site Scripting (XSS) a través de la función de mensaje/notificación. • http://silverpeas.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47325
https://notcve.org/view.php?id=CVE-2023-47325
13 Dec 2023 — Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces. La función administrativa "Bin" de Silverpeas Core 6.3.1 se ve afectada por un control de acceso roto. Un usuario con pocos privilegios puede navegar directamente a la papelera, revelando todos los espacios eliminados. • http://silverpeas.com •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19586
https://notcve.org/view.php?id=CVE-2018-19586
09 Apr 2019 — Silverpeas 5.15 through 6.0.2 is affected by an authenticated Directory Traversal vulnerability that can be triggered during file uploads because core/webapi/upload/FileUploadData.java mishandles a StringUtil.java call. This vulnerability enables regular users to write arbitrary files on the underlying system with privileges of the user running the application. Especially, an attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory to execute commands on the underl... • https://github.com/Silverpeas/Silverpeas-Core/blob/d8c3bbb0695a4907db013401bd16c6527e2b4f41/core-web/src/main/java/org/silverpeas/core/webapi/upload/FileUploadData.java#L89 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •