CVE-2024-42850: 
Java vulnerability analysis and mitigation

A vulnerability has been identified in Silverpeas version 6.4.2 and lower, tracked as CVE-2024-42850. The vulnerability was discovered in the password change functionality, which allows users to bypass the system's password complexity requirements. The issue was disclosed on August 16, 2024 (NVD, MITRE).

The vulnerability exists in the password change function's implementation. When changing a password, the system performs an initial POST request to verify password complexity requirements. However, a subsequent POST request to update the account password does not include these verification checks, allowing users to set passwords that don't meet the intended security requirements, including single-character passwords (GitHub POC). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability compromises the security posture of affected systems by allowing users to set weak passwords that bypass intended complexity requirements. This could lead to easily guessable passwords and potentially unauthorized access to user accounts (GitHub POC).

Organizations running affected versions of Silverpeas (v6.4.2 and lower) should upgrade to a patched version when available. In the meantime, organizations should monitor password change activities and implement additional controls to enforce password complexity requirements at the network or application gateway level (Silverpeas).