Vulnerabilities > Spip > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-17 | CVE-2019-16391 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. | 6.5 |
| 2017-10-22 | CVE-2017-15736 | Cross-site Scripting vulnerability in Spip Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php. | 6.1 |
| 2017-01-18 | CVE-2016-7981 | Cross-site Scripting vulnerability in Spip Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action. | 6.1 |
| 2016-12-17 | CVE-2016-9998 | Cross-site Scripting vulnerability in Spip SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL. | 6.1 |
| 2016-12-17 | CVE-2016-9997 | Cross-site Scripting vulnerability in Spip SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL. | 6.1 |
| 2016-12-05 | CVE-2016-9152 | Cross-site Scripting vulnerability in Spip 3.1.3 Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter. | 6.1 |