CVE-2024-48814

HighPublic PoC

Published: 03 January 2025

Published

03 January 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 20.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via the ViewType parameter of the findbywhereclause function

Security Summary

CVE-2024-48814 is an SQL injection vulnerability (CWE-89) in Silverpeas 6.4.1. The issue affects the findbywhereclause function, where the ViewType parameter fails to properly sanitize input, enabling attackers to inject malicious SQL payloads.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction. A remote, unauthenticated attacker can exploit it to obtain sensitive information from the database.

Mitigation is provided through patches in Silverpeas repositories, including pull request #859 in Silverpeas-Components and pull request #1353 in Silverpeas-Core. Further details on the vulnerability, including a proof-of-concept, are documented in the referenced Gist at https://gist.github.com/SubZ3r0-0x01/7150f7cbc3b7d810adb221cae3d08fc8.

Details

CWE(s): CWE-89

Affected Products

silverpeas

6.4.1

References

https://gist.github.com/SubZ3r0-0x01/7150f7cbc3b7d810adb221cae3d08fc8
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Silverpeas/Silverpeas-Components/pull/859
Issue Tracking, Patch · cve@mitre.org
https://github.com/Silverpeas/Silverpeas-Core/pull/1353
Issue Tracking, Patch · cve@mitre.org