Description: The "create a space" feature in Silverpeas Core suffers from broken access control, allowing any user to create a space regardless of permissions.
Versions Affected: < 6.3.1
Version Fixed: 6.3.2
Researcher: Tyler Ramsbey (https://youtube.com/@TylerRamsbey)
Disclosure Link: https://rhinosecuritylabs.com/research/silverpeas-file-read-cves/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-47320
The "create a space" feature in Silverpeas Core is reserved for administrator use. This feature suffers from Broken Access Control, allowing any authenticated user to create a space by navigating directly to the correct URL.
To exploit this vulnerability, an attacker with low privileges needs to navigate directly to this URL with their X-STKN token: http://localhost:8080/silverpeas/RjobStartPagePeas/jsp/CreateSpace?X-STKN=[Users-STKN-Token]. The attacker can then type in a name and description and click "Ok" and the space is successfully created.