Login Sign Up

CVE-2024-48814

7.5 HIGH
SQL Injection

📋 TL;DR

A SQL injection vulnerability in Silverpeas 6.4.1 allows remote attackers to execute arbitrary SQL commands via the ViewType parameter in the findbywhereclause function. This can lead to unauthorized data access, modification, or deletion. All systems running the vulnerable Silverpeas version are affected.

💻 Affected Systems

Products:
  • Silverpeas
Versions: 6.4.1
Operating Systems: All platforms running Silverpeas
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration and requires no special settings to be exploitable.

📦 What is this software?

Silverpeas by Silverpeas

View all CVEs affecting Silverpeas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, deletion, or potential remote code execution if database configuration permits.

🟠

Likely Case

Unauthorized access to sensitive application data stored in the database, potentially including user credentials, personal information, or business data.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of the application's database structure and SQL syntax, but no authentication is needed to trigger the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes from GitHub pull requests #859 and #1353

Vendor Advisory: https://github.com/Silverpeas/Silverpeas-Components/pull/859 and https://github.com/Silverpeas/Silverpeas-Core/pull/1353

Restart Required: No

Instructions:

1. Apply the fixes from the referenced GitHub pull requests. 2. Update Silverpeas to a patched version when available. 3. Test the application functionality after patching.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the ViewType parameter to only allow expected values

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns in the ViewType parameter

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Silverpeas instances
  • Enable detailed logging and monitoring for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if Silverpeas version is 6.4.1 and review code for the vulnerable findbywhereclause function

Check Version:

Check Silverpeas version in application interface or configuration files

Verify Fix Applied:

Verify that the GitHub pull request fixes have been applied and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed parameter validation attempts for ViewType

Network Indicators:

  • HTTP requests with SQL injection patterns in ViewType parameter

SIEM Query:

search 'ViewType' AND ('UNION' OR 'SELECT' OR 'INSERT' OR 'DELETE' OR 'UPDATE' OR 'OR 1=1') in web server logs

📊 Metadata

CVE ID: CVE-2024-48814
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
EPSS Score: 0.05% exploit probability (13.5th percentile)
Published: January 3, 2025
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48814, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)