Vulnerabilities
Vulnerable Software
Spip:  >> Spip  >> 4.0.0  Security Vulnerabilities
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
CVSS Score
9.8
EPSS Score
0.888
Published
2024-09-06
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
CVSS Score
6.1
EPSS Score
0.014
Published
2024-01-19
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-01-04
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
CVSS Score
9.8
EPSS Score
0.932
Published
2023-02-28
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
CVSS Score
9.8
EPSS Score
0.01
Published
2023-02-27
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
CVSS Score
8.8
EPSS Score
0.05
Published
2022-12-14
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-03-10
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
CVSS Score
8.8
EPSS Score
0.008
Published
2022-03-10
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users (stored XSS).
CVSS Score
5.4
EPSS Score
0.001
Published
2022-01-26
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The "Who are you" and "Website Name" fields are vulnerable.
CVSS Score
5.4
EPSS Score
0.006
Published
2022-01-26


Contact Us

Shodan ® - All rights reserved