CVE-2024-36042 — Silverpeas authentication bypass

Description

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

How to fix CVE-2024-36042

To remediate CVE-2024-36042, upgrade the affected package to a fixed version below.

Maven/org.silverpeas.core:silverpeas-core—upgrade to 6.3.5 or later

Is CVE-2024-36042 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.3.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-36042
PATCHgithub.com/Silverpeas/Silverpeas-Core
WEBgist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d
WEBgithub.com/Silverpeas/Silverpeas-Core/commit/11fb5e21c252ce4751b85fccf5b8076156e0b4f0