Silverpeas 6.4.2 contains a stored cross-site scripting (XSS) vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attackers to escalate privileges by creating a new administrator account. The vulnerability arises from insufficient sanitization of SVG files and weak CSRF protections.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/45xxx/CVE-2025-45055.json",
"cna_assigner": "mitre"
}