Vulnerabilities > Spip > High

DATE CVE VULNERABILITY TITLE RISK
2022-12-14 CVE-2022-37155 Unspecified vulnerability in Spip
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
network
low complexity
spip
8.8
8.8
2022-05-19 CVE-2022-28960 Improper Encoding or Escaping of Output vulnerability in Spip
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
network
low complexity
spip CWE-116
8.8
8.8
2022-05-19 CVE-2022-28961 SQL Injection vulnerability in Spip
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.
network
low complexity
spip CWE-89
8.8
8.8
2022-03-10 CVE-2022-26846 SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
network
low complexity
spip debian
8.8
8.8
2022-01-26 CVE-2021-44122 Cross-Site Request Forgery (CSRF) vulnerability in Spip 4.0.0
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php.
network
low complexity
spip CWE-352
8.8
8.8
2022-01-26 CVE-2021-44123 Unrestricted Upload of File with Dangerous Type vulnerability in Spip 4.0.0
SPIP 4.0.0 is affected by a remote command execution vulnerability.
network
low complexity
spip CWE-434
8.8
8.8
2019-04-10 CVE-2019-11071 Improper Input Validation vulnerability in multiple products
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
network
low complexity
spip debian CWE-20
8.8
8.8
2017-01-18 CVE-2016-7999 Server-Side Request Forgery (SSRF) vulnerability in Spip
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
network
low complexity
spip CWE-918
7.4
7.4
2017-01-18 CVE-2016-7998 Improper Input Validation vulnerability in Spip
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.
network
low complexity
spip CWE-20
8.8
8.8
2017-01-18 CVE-2016-7982 Path Traversal vulnerability in Spip
Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.
network
low complexity
spip CWE-22
7.5
7.5