CVE-2024-39031

Name of the Vulnerable Software and Affected Versions Silverpeas Core versions <= 6.3.5

Description The issue allows a standard user to inject an XSS payload into the Titre and Description fields when creating an event in Mes Agendas. The user can then invite others, including administrators, to the event. When the invited user views their profile, the payload is executed, even without interacting with the event.

Recommendations For Silverpeas Core versions <= 6.3.5, update to a version greater than 6.3.5 to resolve the issue. As a temporary workaround, consider restricting access to the event creation feature in Mes Agendas to minimize the risk of exploitation. Avoid using the Titre and Description fields in the event creation process until the issue is resolved.