Vulnerability Details CVE-2025-71241
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.9%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2025-71241
-
cpe:2.3:a:spip:spip:4.1.0
-
cpe:2.3:a:spip:spip:4.1.1
-
cpe:2.3:a:spip:spip:4.1.10
-
cpe:2.3:a:spip:spip:4.1.11
-
cpe:2.3:a:spip:spip:4.1.12
-
cpe:2.3:a:spip:spip:4.1.13
-
cpe:2.3:a:spip:spip:4.1.14
-
cpe:2.3:a:spip:spip:4.1.15
-
cpe:2.3:a:spip:spip:4.1.16
-
cpe:2.3:a:spip:spip:4.1.17
-
cpe:2.3:a:spip:spip:4.1.18
-
cpe:2.3:a:spip:spip:4.1.19
-
cpe:2.3:a:spip:spip:4.1.2
-
cpe:2.3:a:spip:spip:4.1.3
-
cpe:2.3:a:spip:spip:4.1.4
-
cpe:2.3:a:spip:spip:4.1.5
-
cpe:2.3:a:spip:spip:4.1.6
-
cpe:2.3:a:spip:spip:4.1.7
-
cpe:2.3:a:spip:spip:4.1.8
-
cpe:2.3:a:spip:spip:4.1.9
-
cpe:2.3:a:spip:spip:4.2.0
-
cpe:2.3:a:spip:spip:4.2.1
-
cpe:2.3:a:spip:spip:4.2.10
-
cpe:2.3:a:spip:spip:4.2.11
-
cpe:2.3:a:spip:spip:4.2.12
-
cpe:2.3:a:spip:spip:4.2.13
-
cpe:2.3:a:spip:spip:4.2.14
-
cpe:2.3:a:spip:spip:4.2.15
-
cpe:2.3:a:spip:spip:4.2.16
-
cpe:2.3:a:spip:spip:4.2.2
-
cpe:2.3:a:spip:spip:4.2.3
-
cpe:2.3:a:spip:spip:4.2.4
-
cpe:2.3:a:spip:spip:4.2.5
-
cpe:2.3:a:spip:spip:4.2.6
-
cpe:2.3:a:spip:spip:4.2.7
-
cpe:2.3:a:spip:spip:4.2.8
-
cpe:2.3:a:spip:spip:4.2.9
-
cpe:2.3:a:spip:spip:4.3.0
-
cpe:2.3:a:spip:spip:4.3.1
-
cpe:2.3:a:spip:spip:4.3.2
-
cpe:2.3:a:spip:spip:4.3.3
-
cpe:2.3:a:spip:spip:4.3.4