7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47323

GHSA ID

GHSA-cwh6-hm53-6w2m

EPSS Score

0.6841%

CWE

Published

12/13/2023

Updated

12/15/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-47323

CVE-2023-47323: Missing access control in Silverpeas

The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-47323

GHSA ID

GHSA-cwh6-hm53-6w2m

EPSS Score

0.6841%

CWE

Published

12/13/2023

Updated

12/15/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.silverpeas.core:silverpeas-core-api	maven	< 6.3.2	6.3.2
org.silverpeas.core:silverpeas-core-web	maven	< 6.3.2	6.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows critical security checks were added to message retrieval functions: 1) SentNotificationInterfaceImpl.getNotification was modified to require user ID and added ownership checks 2) SILVERMAILPersistence methods gained user parameters and explicit ForbiddenRuntimeException checks 3) The vulnerability stemmed from these functions processing message IDs without verifying requester authorization, as evidenced by the patch adding user context parameters and access control exceptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** noti*i**tion/m*ss**in* ***tur* o* Silv*rp**s *or* *.*.* *o*s not *n*or** ****ss *ontrol on t** I* p*r*m*t*r. T*is *llows *n *tt**k*r to r*** *ll m*ss***s s*nt **tw**n ot**r us*rs; in*lu*in* t*os* s*nt only to **ministr*tors.

Reasoning

T** *ommit *i** s*ows *riti**l s**urity ****ks w*r* ***** to m*ss*** r*tri*v*l *un*tions: *) `S*ntNoti*i**tionInt*r****Impl.**tNoti*i**tion` w*s mo*i*i** to r*quir* us*r I* *n* ***** own*rs*ip ****ks *) `SILV*RM*ILP*rsist*n**` m*t*o*s **in** us*r p*r

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-47323: Missing access control in Silverpeas

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI