Описание
Missing access control in Silverpeas
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.
Пакеты
Наименование
org.silverpeas.core:silverpeas-core-api
maven
Затронутые версииВерсия исправления
< 6.3.2
6.3.2
Наименование
org.silverpeas.core:silverpeas-core-web
maven
Затронутые версииВерсия исправления
< 6.3.2
6.3.2
Связанные уязвимости
CVSS3: 7.5
nvd
около 2 лет назад
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.