CVE-2024-39031

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-39031
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39031.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-39031
Aliases
Published
2024-07-09T21:15:15Z
Modified
2025-06-06T03:49:15.014148Z
Summary
[none]
Details

In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.

References

Affected packages

Git / github.com/silverpeas/silverpeas-core

Affected ranges

Type
GIT
Repo
https://github.com/silverpeas/silverpeas-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

6.*

6.0-alpha1
6.0-alpha2
6.0-alpha3
6.0-beta1
6.0-rc1
6.0-rc2
6.0-rc3

core-5.*

core-5.10
core-5.11
core-5.12
core-5.13
core-5.6
core-5.7
core-5.8
core-5.9