CVE-2021-44118
- EPSS 0.77%
- Veröffentlicht 26.01.2022 12:15:07
- Zuletzt bearbeitet 21.11.2024 06:30:23
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side ...
CVE-2020-28984
- EPSS 2.17%
- Veröffentlicht 23.11.2020 22:15:12
- Zuletzt bearbeitet 21.11.2024 05:23:26
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
CVE-2019-19830
- EPSS 1.27%
- Veröffentlicht 17.12.2019 05:15:14
- Zuletzt bearbeitet 21.11.2024 04:35:28
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
CVE-2019-16394
- EPSS 7.54%
- Veröffentlicht 17.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:37
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
CVE-2019-16393
- EPSS 1.1%
- Veröffentlicht 17.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:37
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
CVE-2019-16392
- EPSS 1.16%
- Veröffentlicht 17.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:37
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
CVE-2019-16391
- EPSS 1.49%
- Veröffentlicht 17.09.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:30:37
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-11071
- EPSS 2.58%
- Veröffentlicht 10.04.2019 21:29:01
- Zuletzt bearbeitet 21.11.2024 04:20:28
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
CVE-2017-15736
- EPSS 0.99%
- Veröffentlicht 22.10.2017 18:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/tex...
CVE-2017-9736
- EPSS 3.16%
- Veröffentlicht 17.06.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.