Vulnerabilities > Spip

DATE CVE VULNERABILITY TITLE RISK
2016-12-05 CVE-2016-9152 Cross-site Scripting vulnerability in Spip 3.1.3
Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter.
network
spip CWE-79
4.3
4.3
2016-04-08 CVE-2016-3154 Code Injection vulnerability in Spip
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
network
low complexity
spip CWE-94
7.5
7.5
2016-04-08 CVE-2016-3153 Code Injection vulnerability in multiple products
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
network
low complexity
debian spip CWE-94
7.5
7.5
2014-01-30 CVE-2013-7303 Cross-Site Scripting vulnerability in Spip
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.
network
spip CWE-79
4.3
4.3
2013-11-18 CVE-2013-4557 Code Injection vulnerability in Spip
The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.
network
low complexity
spip CWE-94
7.5
7.5
2013-11-18 CVE-2013-4556 Cross-Site Scripting vulnerability in Spip
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.
network
spip CWE-79
4.3
4.3
2013-11-18 CVE-2013-4555 Cross-Site Request Forgery (CSRF) vulnerability in Spip
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.
network
spip CWE-352
6.8
6.8
2013-07-09 CVE-2013-2118 Unspecified vulnerability in Spip
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.
network
low complexity
spip
7.5
7.5
2012-08-14 CVE-2012-4331 Security vulnerability in SPIP Multiple
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
network
low complexity
spip
critical
 10.0
10
2012-08-14 CVE-2012-2151 Cross-Site Scripting vulnerability in Spip
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
spip CWE-79
4.3
4.3