CVE-2023-47325: n/a in n/a
Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.
AI Analysis
Technical Summary
CVE-2023-47325 is a medium-severity vulnerability affecting Silverpeas Core version 6.3.1, specifically related to broken access control in the administrative "Bin" feature. Silverpeas Core is an enterprise collaboration and content management platform used by organizations to manage digital workspaces and content. The vulnerability allows a user with low privileges—meaning a user who does not have administrative rights—to directly access the "Bin" (essentially a recycle bin or deleted items area) by navigating to it without proper authorization checks. This unauthorized access exposes all deleted spaces within the platform. Furthermore, the low-privileged user can perform actions normally restricted to administrators, such as restoring deleted spaces or permanently deleting them. This indicates a failure in enforcing proper access control mechanisms (CWE-284) on sensitive administrative functions. The CVSS 3.1 base score is 5.4 (medium), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, meaning the vulnerability can be exploited remotely over the network with low attack complexity, requires low privileges but no user interaction, and impacts confidentiality and integrity to a limited extent, without affecting availability. No known exploits are currently reported in the wild, and no patches or vendor advisories are listed yet. The vulnerability was published on December 13, 2023, and was reserved on November 6, 2023. The lack of vendor and product details in the provided data suggests limited public information, but the core issue remains a broken access control flaw allowing privilege escalation within the application’s administrative features.
Potential Impact
For European organizations using Silverpeas Core 6.3.1, this vulnerability could lead to unauthorized disclosure of deleted workspace information, potentially exposing sensitive or confidential data that was thought to be removed. The ability for low-privileged users to restore or permanently delete spaces could disrupt business operations by undoing or enforcing deletions without proper oversight, leading to data integrity issues and operational confusion. While availability is not directly impacted, the integrity and confidentiality breaches could undermine trust in the platform and cause compliance issues, especially under GDPR, where unauthorized access to personal or sensitive data is a serious concern. Organizations relying on Silverpeas for collaborative workspaces, document management, or internal communications could face risks of insider misuse or exploitation by compromised low-privilege accounts. The impact is heightened in sectors with strict data governance requirements, such as government, finance, healthcare, and critical infrastructure, which are prevalent across Europe.
Mitigation Recommendations
1. Immediate mitigation should include restricting access to the administrative "Bin" feature through network-level controls or application configuration to limit exposure to only trusted users until a patch is available. 2. Implement strict role-based access control (RBAC) policies within Silverpeas, ensuring that low-privileged users cannot access administrative endpoints, including the bin. 3. Monitor and audit access logs for unusual activity related to deleted spaces or bin access, focusing on low-privilege user accounts. 4. If possible, disable or hide the "Bin" feature for non-administrative users temporarily. 5. Engage with Silverpeas vendor or community to obtain patches or updates addressing this vulnerability as soon as they are released. 6. Conduct internal security awareness training to inform users about the risk of privilege escalation and encourage reporting of suspicious behavior. 7. Review and tighten authentication and session management controls to prevent unauthorized privilege escalation. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts to the bin feature endpoints. These steps go beyond generic advice by focusing on immediate access restrictions, monitoring, and compensating controls until a vendor patch is available.
Affected Countries
France, Germany, Belgium, Netherlands, Italy, Spain, United Kingdom
CVE-2023-47325: n/a in n/a
Description
Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.
AI-Powered Analysis
Technical Analysis
CVE-2023-47325 is a medium-severity vulnerability affecting Silverpeas Core version 6.3.1, specifically related to broken access control in the administrative "Bin" feature. Silverpeas Core is an enterprise collaboration and content management platform used by organizations to manage digital workspaces and content. The vulnerability allows a user with low privileges—meaning a user who does not have administrative rights—to directly access the "Bin" (essentially a recycle bin or deleted items area) by navigating to it without proper authorization checks. This unauthorized access exposes all deleted spaces within the platform. Furthermore, the low-privileged user can perform actions normally restricted to administrators, such as restoring deleted spaces or permanently deleting them. This indicates a failure in enforcing proper access control mechanisms (CWE-284) on sensitive administrative functions. The CVSS 3.1 base score is 5.4 (medium), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, meaning the vulnerability can be exploited remotely over the network with low attack complexity, requires low privileges but no user interaction, and impacts confidentiality and integrity to a limited extent, without affecting availability. No known exploits are currently reported in the wild, and no patches or vendor advisories are listed yet. The vulnerability was published on December 13, 2023, and was reserved on November 6, 2023. The lack of vendor and product details in the provided data suggests limited public information, but the core issue remains a broken access control flaw allowing privilege escalation within the application’s administrative features.
Potential Impact
For European organizations using Silverpeas Core 6.3.1, this vulnerability could lead to unauthorized disclosure of deleted workspace information, potentially exposing sensitive or confidential data that was thought to be removed. The ability for low-privileged users to restore or permanently delete spaces could disrupt business operations by undoing or enforcing deletions without proper oversight, leading to data integrity issues and operational confusion. While availability is not directly impacted, the integrity and confidentiality breaches could undermine trust in the platform and cause compliance issues, especially under GDPR, where unauthorized access to personal or sensitive data is a serious concern. Organizations relying on Silverpeas for collaborative workspaces, document management, or internal communications could face risks of insider misuse or exploitation by compromised low-privilege accounts. The impact is heightened in sectors with strict data governance requirements, such as government, finance, healthcare, and critical infrastructure, which are prevalent across Europe.
Mitigation Recommendations
1. Immediate mitigation should include restricting access to the administrative "Bin" feature through network-level controls or application configuration to limit exposure to only trusted users until a patch is available. 2. Implement strict role-based access control (RBAC) policies within Silverpeas, ensuring that low-privileged users cannot access administrative endpoints, including the bin. 3. Monitor and audit access logs for unusual activity related to deleted spaces or bin access, focusing on low-privilege user accounts. 4. If possible, disable or hide the "Bin" feature for non-administrative users temporarily. 5. Engage with Silverpeas vendor or community to obtain patches or updates addressing this vulnerability as soon as they are released. 6. Conduct internal security awareness training to inform users about the risk of privilege escalation and encourage reporting of suspicious behavior. 7. Review and tighten authentication and session management controls to prevent unauthorized privilege escalation. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized access attempts to the bin feature endpoints. These steps go beyond generic advice by focusing on immediate access restrictions, monitoring, and compensating controls until a vendor patch is available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2023-11-06T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f6ee00acd01a249264721
Added to database: 5/22/2025, 6:37:20 PM
Last enriched: 6/6/2025, 4:59:20 PM
Last updated: 7/7/2025, 8:40:23 AM
Views: 5
Related Threats
CVE-2025-6386: CWE-203 Observable Discrepancy in parisneo parisneo/lollms
HighCVE-2025-6210: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in run-llama run-llama/llama_index
MediumCVE-2025-5472: CWE-674 Uncontrolled Recursion in run-llama run-llama/llama_index
MediumCVE-2025-4779: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in lunary-ai lunary-ai/lunary
CriticalCVE-2025-3777: CWE-20 Improper Input Validation in huggingface huggingface/transformers
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.