Mmoqui

**Name of the Vulnerable Software and Affected Versions** Silverpeas version 6.4.2 **Description** The issue arises from a stored cross-site scripting (XSS) vulnerability in the event management module. This vulnerability allows an authenticated user to upload a malicious SVG file as an event attachment. When an administrator views this attachment, embedded JavaScript is executed in the admin's session, enabling attackers to escalate privileges by creating a new administrator account. The vulnerability is caused by insufficient sanitization of SVG files and weak CSRF protections. **Recommendations** For Silverpeas version 6.4.2, as a temporary workaround, consider disabling the event management module's ability to upload SVG files until a patch is available. Restrict access to the event management module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Silverpeas version 6.4.1 Description: A remote attacker can obtain sensitive information via the `ViewType` parameter of the `findbywhereclause` function. This issue allows for SQL Injection, potentially leading to the exposure of sensitive data. Recommendations: For Silverpeas version 6.4.1, consider disabling the `findbywhereclause` function or restricting access to the `ViewType` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.