5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56923

GHSA ID

GHSA-788m-27g4-cf86

EPSS Score

0.13132%

CWE

CWE-79

Published

1/22/2025

Updated

1/29/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-56923

CVE-2024-56923: Cross site scripting in Silverpeas Core

Stored Cross-Site Scripting (XSS) Vulnerability in the Categorization Option of My Subscriptions Functionality in Silverpeas Core 6.3.1 <= 6.4.1 allows a remote attacker to execute arbitrary JavaScript code. This is achieved by injecting a malicious payload into the Name field of a subscription. The attack can lead to session hijacking, data theft, or unauthorized actions when an admin user views the affected subscription.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-56923

GHSA ID

GHSA-788m-27g4-cf86

EPSS Score

0.13132%

CWE

CWE-79

Published

1/22/2025

Updated

1/29/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.silverpeas.core:silverpeas-core	maven	>= 6.3.1, < 6.4.2	6.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper output encoding when handling the subscription name field. The pull request #1373 mentions encoding HTML titles/labels, indicating the rendering layer (JSP templates) was vulnerable. The persistence layer (SubscriptionVO) likely lacks input sanitization, while the web layer (SubscriptionResource) fails to encode outputs. These components work together to enable stored XSS when admin views subscriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Stor** *ross-Sit* S*riptin* (XSS) Vuln*r**ility in t** **t**oriz*tion Option o* My Su*s*riptions *un*tion*lity in Silv*rp**s *or* *.*.* <= *.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry J*v*S*ript *o**. T*is is ***i*v** *y inj**tin* * m*li*ious

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* w**n **n*lin* t** su*s*ription n*m* *i*l*. T** pull r*qu*st #**** m*ntions *n*o*in* *TML titl*s/l***ls, in*i**tin* t** r*n**rin* l*y*r (JSP t*mpl*t*s) w*s vuln*r**l*. T** p*rsist*n** l*y*r (Su*s*r

5.4

Basic Information

Concerned about an active attack path?

CVE-2024-56923: Cross site scripting in Silverpeas Core

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI