Silverpeas Stored Cross-Site Scripting Vulnerability in Event Management Module Privilege Escalation

A stored cross-site scripting vulnerability has been identified in Silverpeas version 6.4.2, specifically within the event management module. This vulnerability allows authenticated users to upload malicious SVG files as event attachments. When these files are viewed by an administrator, they execute embedded JavaScript in the admin's session. This exploitation can lead to unauthorized privilege escalation by creating a new administrator account. The issue stems from inadequate sanitization of SVG files and weak cross-site request forgery protections.

Impact

Exploitation of this vulnerability allows for full administrative access through client-side privilege escalation, creating a new admin account without detection.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a malicious SVG file as an event attachment in the Silverpeas event management module. The SVG file should contain a script that extracts the anti-CSRF token from the user's session and then sends a request to create a new admin account. Once the file is uploaded, an administrator must be tricked into opening the SVG attachment, which will trigger the script and escalate privileges.

Remediation

Users are advised to update to the latest version of Silverpeas, where this vulnerability has been addressed. Additionally, implement a strict content security policy to block inline scripts and prevent the execution of SVG files in contexts where scripts are allowed.