Vulnerabilities > Spip

DATE CVE VULNERABILITY TITLE RISK
2020-11-23 CVE-2020-28984 prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
network
low complexity
spip debian
7.5
2019-12-17 CVE-2019-19830 Improper Input Validation vulnerability in multiple products
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
network
low complexity
spip debian CWE-20
4.0
2019-09-17 CVE-2019-16394 Information Exposure vulnerability in Spip
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
network
low complexity
spip CWE-200
5.0
2019-09-17 CVE-2019-16393 Open Redirect vulnerability in Spip
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
network
spip CWE-601
5.8
2019-09-17 CVE-2019-16392 Cross-Site Scripting vulnerability in Spip
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
network
spip CWE-79
4.3
2019-09-17 CVE-2019-16391 Unspecified vulnerability in Spip
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database.
network
low complexity
spip
4.0
2019-04-10 CVE-2019-11071 Improper Input Validation vulnerability in multiple products
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
network
low complexity
spip debian CWE-20
6.5
2017-10-22 CVE-2017-15736 Cross-Site Scripting vulnerability in Spip
Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.
network
spip CWE-79
4.3
2017-06-17 CVE-2017-9736 OS Command Injection vulnerability in Spip
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
network
low complexity
spip CWE-78
7.5
2017-01-18 CVE-2016-7999 Server-Side Request Forgery (SSRF) vulnerability in Spip
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
network
spip CWE-918
4.3