CVE-2025-45055

Medium CVSS: 5.4

Silverpeas 6.4.2 contains a stored cross-site scripting (XSS) vulnerability in the event management module. An authenticated user can upload a malicious SVG file as an event attachment, which, when viewed by an administrator, executes embedded JavaScript in the admin's session. This allows attackers to escalate privileges by creating a new administrator account. The vulnerability arises from insufficient sanitization of SVG files and weak CSRF protections.

Vendor

Silverpeas

Product

Silverpeas

CWE

CWE-79

Yayın Tarihi

2025-06-09 16:15:40

Güncelleme

2025-06-25 20:24:56

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Silverpeas MEDIUM Silverpeas 2025

Referanslar

https://github.com/Silverpeas/Silverpeas-Core/pull/1394 https://medium.com/@mingihongkim/privilege-escalation-via-svg-injection-in-silverpeas-6-4-2-b5ab1d5b6955 https://medium.com/@mingihongkim/privilege-escalation-via-svg-injection-in-silverpeas-6-4-2-b5ab1d5b6955

Benzer Kayıtlar

Medium

CVE-2025-46047

A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows…

Medium

CVE-2024-56923

Stored Cross-Site Scripting (XSS) Vulnerability in the Categorization Option of My Subscriptions Functionality in Silver…

High

CVE-2024-48814

SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via the ViewTyp…