The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.
CPE | Name | Operator | Version |
---|---|---|---|
org.silverpeas.core:silverpeas-core-web | lt | 6.3.2 | |
org.silverpeas.core:silverpeas-core-api | lt | 6.3.2 |