Miggo Logo
Miggo Vulnerability Database
CVE-2023-47322

CVE-2023-47322: Cross Site Request Forgery in Silverpeas

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-47322
GHSA ID
GHSA-g27c-w2v7-88xp
EPSS Score
0.35507%
CWE
CWE-79
Published
12/13/2023
Updated
12/15/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.silverpeas.core:silverpeas-core-webmaven< 6.3.26.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly implicates the 'userModify' feature as the attack vector. In Java web applications following REST conventions, user modification endpoints would typically be handled by a controller method like userModify in a UserResource class. The absence of CSRF protection in this critical administrative function matches the described attack pattern where state-changing requests can be forged without token validation. While exact code isn't available, the combination of the vulnerability mechanics and Silverpeas's architecture strongly suggests this endpoint implementation is the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** "us*rMo*i*y" ***tur* o* Silv*rp**s *or* *.*.* is vuln*r**l* to *ross Sit* R*qu*st *or**ry (*SR*) l***in* to privil*** *s**l*tion. I* *n **ministr*tor *o*s to * m*li*ious URL w*il* **in* *ut**nti**t** to t** Silv*rp**s *ppli**tion, t** *SR* wit* *

Reasoning

T** vuln*r**ility **s*ription *xpli*itly impli**t*s t** 'us*rMo*i*y' ***tur* *s t** *tt**k v**tor. In J*v* w** *ppli**tions *ollowin* R*ST *onv*ntions, us*r mo*i*i**tion *n*points woul* typi**lly ** **n*l** *y * *ontroll*r m*t*o* lik* `us*rMo*i*y` in