Missing access control in Silverpeas

2023-12-1315:30:58

GitHub Advisory Database

github.com

silverpeas

access control

messaging

software vulnerability

security

6.9 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

35.3%

JSON

The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.

CPENameOperatorVersion
org.silverpeas.core:silverpeas-core-weblt6.3.2
org.silverpeas.core:silverpeas-core-apilt6.3.2

CPE	Name	Operator	Version
	org.silverpeas.core:silverpeas-core-web	lt	6.3.2
	org.silverpeas.core:silverpeas-core-api	lt	6.3.2

References

silverpeas.com

github.com/advisories/GHSA-cwh6-hm53-6w2m

github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47323

github.com/Silverpeas/Silverpeas-Core/commit/6383746372d408eeefa73e17ef95608ddd2c7fba

nvd.nist.gov/vuln/detail/CVE-2023-47323