CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-28984 – Ubuntu Security Notice USN-5482-2
https://notcve.org/view.php?id=CVE-2020-28984
23 Nov 2020 — prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters. El archivo prive/formulaires/configurer_preferences.php en SPIP versión anterior a 3.2.8, no valida correctamente los parámetros couleur, display, display_navigation, display_outils, imessage y spip_ecran It was discovered that SPIP incorrectly validated inputs. An authenticated attacker could possibly use this issue to ex... • https://git.spip.net/spip/spip/commit/ae4267eba1022dabc12831ddb021c5d6e09040f8 •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2019-19830 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-19830
17 Dec 2019 — _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. El archivo _core_/plugins/medias en SPIP versiones 3.2.x anteriores a la versión 3.2.7, permite a autores autenticados remotos inyectar contenido de la base de datos. Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-site scripting attacks. Gilles Vincent discovered that SPIP incorrectly hand... • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-sortie-de-SPIP-3-2-7-SPIP-3-1-12.html •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16391 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-16391
17 Sep 2019 — SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php. SPIP versiones anteriores a 3.1.11 y versiones 3.2 anteriores a 3.2.5, permite a visitantes autenticados modificar cualquier contenido publicado y ejecutar otras modificaciones en la base de datos. Esto está Youssouf Boulouiz discovered that SPIP incorrectly handled login error messag... • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16392 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-16392
17 Sep 2019 — SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. SPIP versiones anteriores a 3.1.11 y versiones 3.2 anteriores a 3.2.5, permite un ataque de tipo XSS del archivo prive/formulaires/login.php por medio de mensajes de error. Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-site scripting attacks. Gilles Vincent discovered that SPIP incorrectly handled password rese... • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2019-16393 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-16393
17 Sep 2019 — SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. SPIP versiones anteriores a 3.1.11 y versiones 3.2 anteriores a 3.2.5, maneja inapropiadamente las URL de redireccionamiento en el archivo ecrire/inc/headers.php con un carácter %0D,%0A o %20. Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-site scripting attacks. Gilles Vincent discove... • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 39%CPEs: 6EXPL: 2CVE-2019-16394 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-16394
17 Sep 2019 — SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers. SPIP versiones anteriores a 3.1.11 y versiones 3.2 anteriores a 3.2.5, proporciona diferentes mensajes de error desde la página password-reminder dependiendo de si existe una dirección de correo electrónico, que podría ayudar a atacantes para enumerar suscriptores. Youssouf Boulouiz discovered that SPIP i... • https://github.com/trungnd51/Silent_CVE_2019_16394 • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 2%CPEs: 3EXPL: 0CVE-2019-11071 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2019-11071
10 Apr 2019 — SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled. SPIP 3.1 versiones anteriores a 3.1.10 y 3.2 versiones anteriores a 3.2.4 permite a los visitantes autentificados ejecutar código arbitrario en el servidor host porque var_memotri se maneja de forma inadecuada. Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-... • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15736 – Ubuntu Security Notice USN-4536-1
https://notcve.org/view.php?id=CVE-2017-15736
21 Oct 2017 — Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php. Vulnerabilidad de Cross-Site Scripting (XSS) (persistente) en SPIP en versiones anteriores a la 3.1.7 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una cadena manipulada, tal y como demuestra un campo PGP, relacionad... • https://core.spip.net/projects/spip/repository/revisions/23701 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 14EXPL: 0CVE-2017-9736 – Debian Security Advisory 3890-1
https://notcve.org/view.php?id=CVE-2017-9736
17 Jun 2017 — SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. SPIP en versiones 3.1.x anteriores a la 3.1.6 y versiones 3.2.x anteriores a la Beta 3 no elimina los metacaracteres shell del campo host, lo que permite que un atacante remoto provoque la ejecución remota de código. Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-... • http://www.debian.org/security/2017/dsa-3890 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9997
https://notcve.org/view.php?id=CVE-2016-9997
17 Dec 2016 — SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL. SPIP 3.1.x sufre de una vulnerabilidad de XSS reflectada en /ecrire/exec/puce_statut.php involucrando el parámetro `$id`, según lo demostrado por una URL /ecrire/?exec=puce_statut. • http://www.securityfocus.com/bid/95008 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •