CVE-2024-39031: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability has been identified in Silverpeas Core versions 6.3.5 and earlier. The vulnerability exists in the 'Mes Agendas' feature, where users can create calendar events and invite other users, including administrators, from the same domain (NVD, GitHub POC).

The vulnerability allows a standard user to inject malicious XSS payloads into the 'Titre' and 'Description' fields when creating calendar events. The injected payload gets executed when the invited user (victim) views their own profile, even without clicking on the event. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser context. This can lead to session hijacking, theft of sensitive information, or performing actions on behalf of the victim. The impact is particularly significant as it can affect administrators and other privileged users who are invited to the malicious calendar events (GitHub POC).

The vulnerability has been fixed in Silverpeas Core through a pull request that introduces injection checking in entity embodied within incoming HTTP requests. The fix performs checking only if the request embodies a web entity encoded in supported content types (JSON or XML) (Silverpeas PR).