Miggo Logo
Miggo Vulnerability Database
CVE-2023-47325

CVE-2023-47325: Broken access control in Silverpeas

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-47325
GHSA ID
GHSA-42g3-3jwm-63rx
EPSS Score
0.42233%
CWE
CWE-284
Published
12/13/2023
Updated
12/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.silverpeas.core:silverpeas-core-webmaven< 6.3.26.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The PoC demonstrates exploitation via direct navigation to /RjobStartPagePeas/jsp/ViewBin. In Java web applications, JSPs are either protected by security constraints in web.xml or programmatic checks in controllers. The vulnerability indicates missing authorization enforcement at the entry point handling this URL. While the exact class/method isn't visible in provided data, the JSP endpoint itself represents the vulnerable access point. This matches the CWE-284 pattern of missing access control on a sensitive functionality endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Silv*rp**s *or* *.*.* **ministr*tiv* "*in" ***tur* is *****t** *y *rok*n ****ss *ontrol. * us*r wit* low privil***s is **l* to n*vi**t* *ir**tly to t** *in, r*v**lin* *ll **l*t** sp***s. T** us*r **n t**n r*stor* or p*rm*n*ntly **l*t* t** sp***s.

Reasoning

T** Po* **monstr*t*s *xploit*tion vi* *ir**t n*vi**tion to /Rjo*St*rtP***P**s/jsp/Vi*w*in. In J*v* w** *ppli**tions, JSPs *r* *it**r prot**t** *y s**urity *onstr*ints in `w**.xml` or pro*r*mm*ti* ****ks in *ontroll*rs. T** vuln*r**ility in*i**t*s mis