CVE-2023-47322: Cross Site Request Forgery in Silverpeas
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.35507%
CWE
Published
12/13/2023
Updated
12/15/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.silverpeas.core:silverpeas-core-web | maven | < 6.3.2 | 6.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly implicates the 'userModify' feature as the attack vector. In Java web applications following REST conventions, user modification endpoints would typically be handled by a controller method like userModify in a UserResource class. The absence of CSRF protection in this critical administrative function matches the described attack pattern where state-changing requests can be forged without token validation. While exact code isn't available, the combination of the vulnerability mechanics and Silverpeas's architecture strongly suggests this endpoint implementation is the vulnerable component.