CVE-2025-45055

Name of the Vulnerable Software and Affected Versions Silverpeas version 6.4.2

Description The issue arises from a stored cross-site scripting (XSS) vulnerability in the event management module. This vulnerability allows an authenticated user to upload a malicious SVG file as an event attachment. When an administrator views this attachment, embedded JavaScript is executed in the admin's session, enabling attackers to escalate privileges by creating a new administrator account. The vulnerability is caused by insufficient sanitization of SVG files and weak CSRF protections.

Recommendations For Silverpeas version 6.4.2, as a temporary workaround, consider disabling the event management module's ability to upload SVG files until a patch is available. Restrict access to the event management module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.