CVE-2024-39031

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-39031
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39031.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-39031
Aliases
Published
2024-07-09T21:15:15.147Z
Modified
2026-04-10T05:13:32.479546Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.

References

Affected packages

Git / github.com/silverpeas/silverpeas-core

Affected ranges

Type
GIT
Repo
https://github.com/silverpeas/silverpeas-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ada33a7b1c7d443b42552884e320f68c88a0df70
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.4"
        }
    ]
}

Affected versions

6.*
6.0-alpha1
6.0-alpha2
6.0-alpha3
6.0-beta1
6.0-rc1
6.0-rc2
6.0-rc3
core-5.*
core-5.11
core-5.12
core-5.6
core-5.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39031.json"