Vulnerabilities > Spip > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-19 | CVE-2024-23659 | Cross-site Scripting vulnerability in Spip SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. | 6.1 |
| 2024-01-04 | CVE-2023-52322 | Cross-site Scripting vulnerability in Spip ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics. | 6.1 |
| 2022-05-19 | CVE-2022-28959 | Cross-site Scripting vulnerability in Spip Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML. | 6.1 |
| 2022-03-10 | CVE-2022-26847 | Information Exposure vulnerability in multiple products SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects. | 5.3 |
| 2022-01-26 | CVE-2021-44118 | Cross-site Scripting vulnerability in Spip 4.0.0 SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. | 5.4 |
| 2022-01-26 | CVE-2021-44120 | Cross-site Scripting vulnerability in Spip 4.0.0 SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. | 5.4 |
| 2019-12-17 | CVE-2019-19830 | _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. | 6.5 |
| 2019-09-17 | CVE-2019-16394 | Information Exposure Through Discrepancy vulnerability in multiple products SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers. | 5.3 |
| 2019-09-17 | CVE-2019-16393 | Open Redirect vulnerability in multiple products SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | 6.1 |
| 2019-09-17 | CVE-2019-16392 | Cross-site Scripting vulnerability in multiple products SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. | 6.1 |