CVE-2024-56923

Name of the Vulnerable Software and Affected Versions Silverpeas Core versions 6.3.1 through 6.4.1

Description The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability in the Categorization Option of the My Subscriptions functionality. A remote attacker can execute arbitrary JavaScript code by injecting a malicious payload into the Name field of a subscription. This can lead to session hijacking, data theft, or unauthorized actions when an admin user views the affected subscription.

Recommendations For Silverpeas Core versions 6.3.1 through 6.4.1, consider disabling the Categorization Option of the My Subscriptions functionality until a patch is available. Restrict access to the My Subscriptions feature to minimize the risk of exploitation. Avoid using the Name field in the affected subscription functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.