CVE-2024-36042

CRITICAL

Silverpeas < 6.3.5 - Authentication Bypass via Omitted Password Field

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-36042. PoCs published by zaaraZiof0, HA5ANT.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2024-36042, an authentication bypass vulnerability in Silverpeas versions prior to 6.3.5. It explains how omitting the password field in a login request allows unauthorized access as any valid user, including the default super admin.

Description

Silverpeas before 6.3.5 allows authentication bypass by omitting the Password field to AuthenticationServlet, often providing an unauthenticated user with superadmin access.

Exploits (2)

nomisec WRITEUP 3 stars

by zaaraZiof0 · poc

https://github.com/zaaraZiof0/CVE-2024-36042

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2024-36042, an authentication bypass vulnerability in Silverpeas versions prior to 6.3.5. It explains how omitting the password field in a login request allows unauthorized access as any valid user, including the default super admin.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Silverpeas < 6.3.5

No auth needed

Prerequisites: Valid username (e.g., SilverAdmin) · Access to the Silverpeas login endpoint

MITRE ATT&CK

T1550 - Use Alternate Authentication Material

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by HA5ANT · poc

https://github.com/HA5ANT/Silverpeas-AuthBypass-CVE-2024-36042

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2024-36042, an authentication bypass vulnerability in Silverpeas versions prior to 6.3.5. The exploit leverages weak session validation in the AuthenticationServlet by omitting the Password parameter and uses heuristic-based detection to confirm successful bypass.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Silverpeas < 6.3.5

No auth needed

Prerequisites: Target running vulnerable Silverpeas instance · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit

https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d

Product

https://github.com/Silverpeas/Silverpeas-Core/tags

Product

https://silverpeas.org/

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 31.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Products (2)

org.silverpeas.core/silverpeas-core 0 - 6.3.5Maven

silverpeas/silverpeas < 6.3.5

Published Jun 03, 2024

Tracked Since Feb 18, 2026