An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements.
The vulnerability concerns the implementation of the password change mechanism (CWE-521: Weak Password Requirements). Password complexity verification can be bypassed, meaning that server-side controls are not properly enforced. As a result, it is possible to set a password that does not meet minimum security requirements — such as very short or trivial passwords — without any blocking from the application.
An attacker can set a weak or trivial password for an account, making it easier to compromise later using methods such as dictionary attacks or brute-force. As a result, unauthorized access to the system and associated data is possible.
Apply patches available from the vendor according to the references. It is recommended to update to a version higher than 6.4.2. Until the patch is implemented, it is recommended to enforce a strong password policy at the organizational level and monitor password change attempts in application logs.
Silverpeas in version 6.4.2 and lower.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSilverpeas
APPSilverpeas≤ 6.4.2
Related vulnerabilities
Silverpeas – pominięcie hasła umożliwia dostęp jako superadmin (Auth Bypass)
Silverpeas 5.15 through 6.0.2 is affected by an authenticated Directory Traversal vulnerability that can be tr...
SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via t...
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to ex...
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID paramete...