CVE-2024-39031

Exploit

EPSS 6.74%
Veröffentlicht 09.07.2024 21:15:15
Zuletzt bearbeitet 05.06.2025 14:03:30
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Silverpeas ≫ Silverpeas Version < 6.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.74%	0.909

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/toneemarqus/CVE-2024-39031

Patch

Third Party Advisory

Exploit

https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-39031

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39031

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39031

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-39031