Spip

Spip

78 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2025-71240

  • EPSS 0.04%
  • Veröffentlicht 19.02.2026 14:58:12
  • Zuletzt bearbeitet 24.02.2026 18:53:21

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.

6.1

CVE-2023-53900

Exploit
  • EPSS 0.02%
  • Veröffentlicht 16.12.2025 17:06:24
  • Zuletzt bearbeitet 29.04.2026 01:00:01

Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL throu...

4.8

CVE-2024-53620

Exploit
  • EPSS 0.14%
  • Veröffentlicht 26.11.2024 19:15:31
  • Zuletzt bearbeitet 03.07.2025 00:32:56

A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter.

6.3

CVE-2024-53619

Exploit
  • EPSS 0.06%
  • Veröffentlicht 26.11.2024 19:15:30
  • Zuletzt bearbeitet 07.07.2025 17:54:54

An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.

9.8

CVE-2024-8517

Exploit
  • EPSS 93.37%
  • Veröffentlicht 06.09.2024 16:15:03
  • Zuletzt bearbeitet 25.09.2025 19:15:42

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

9.8

CVE-2024-7954

  • EPSS 92.99%
  • Veröffentlicht 23.08.2024 18:15:07
  • Zuletzt bearbeitet 15.04.2026 00:35:42

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

6.1

CVE-2024-23659

  • EPSS 0.88%
  • Veröffentlicht 19.01.2024 05:15:09
  • Zuletzt bearbeitet 02.06.2025 15:15:32

SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.

6.1

CVE-2023-52322

  • EPSS 0.19%
  • Veröffentlicht 04.01.2024 07:15:09
  • Zuletzt bearbeitet 03.06.2025 15:15:49

ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.

9.8

CVE-2023-27372

  • EPSS 93.12%
  • Veröffentlicht 28.02.2023 20:15:10
  • Zuletzt bearbeitet 11.03.2025 15:15:38

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

9.8

CVE-2023-24258

Exploit
  • EPSS 2.81%
  • Veröffentlicht 27.02.2023 21:15:11
  • Zuletzt bearbeitet 21.11.2024 07:47:38

SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.