[{"vendor":"silverpeas","product":"silverpeas","defaultStatus":"unknown","cpes":["cpe:2.3:a:silverpeas:silverpeas:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThanOrEqual":"6.3.5","versionType":"custom","status":"affected"}]}]

{"timestamp":"2024-07-11T17:24:44.973627Z","id":"CVE-2024-39031","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"n/a","product":"n/a","versions":[{"version":"n/a","status":"affected"}]}]

OR
          *cpe:2.3:a:silverpeas:silverpeas:*:*:*:*:*:*:*:* versions up to (excluding) 6.4

CVE: https://github.com/toneemarqus/CVE-2024-39031 Types: Exploit, Patch, Third Party Advisory

CVE: https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346 Types: Issue Tracking, Patch

MITRE: https://github.com/toneemarqus/CVE-2024-39031 Types: Exploit, Patch, Third Party Advisory

MITRE: https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346 Types: Issue Tracking, Patch

https://github.com/toneemarqus/CVE-2024-39031

https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346

In Silverpeas Core <= 6.3.5, inside of mes agendas a user can create a new event and add it to his calendar. The user can also add other users to the event from the same domain, including administrator. A normal user can create an event with XSS payload inside “Titre” and “Description” parameters and add the administrator or any user to the event. When the other user (victim) visits his own profile (even without clicking on the event) the payload will be executed on the victim side.

In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.

CISA-ADP AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA-ADP CWE-79

In Silverpeas Core <= 6.3.5, inside of mes agendas a user can create a new event and add it to his calendar. The user can also add other users to the event from the same domain, including administrator. A normal user can create an event with XSS payload inside “Titre” and “Description” parameters and add the administrator or any user to the event. When the other user (victim) visits his own profile (even without clicking on the event) the payload will be executed on the victim side.

MITRE https://github.com/toneemarqus/CVE-2024-39031 [No types assigned]

MITRE https://www.github.com/Silverpeas/Silverpeas-Core/pull/1346 [No types assigned]