CVSS: 7.5EPSS: 32%CPEs: 1EXPL: 2CVE-2016-7982 – SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal
https://notcve.org/view.php?id=CVE-2016-7982
20 Oct 2016 — Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action. Vulnerabilidad de salto de directorio en ecrire/exec/valider_xml.php en SPIP 3.1.2 y versiones anteriores permite a atacantes remotos enumerar los archivos en el sistema a través del parámetro var_url en una acción valider_xml. SPIP versions 3.1.2 and below suffer from file enumeration and path traversal vul... • https://packetstorm.news/files/id/139235 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 24%CPEs: 1EXPL: 2CVE-2016-7998 – SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution
https://notcve.org/view.php?id=CVE-2016-7998
20 Oct 2016 — The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action. El compositor/compilador de plantillas de SPIP en SPIP 3.1.2 y versiones anteriores permite a usuarios remotos autentificados ejecutar código PHP arbitrario cargando un archivo HTML con una etiqueta INCLUDE (1) o INCLURE (2) manipulada y después accediendo a ella c... • https://packetstorm.news/files/id/139239 • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 1CVE-2016-7999 – SPIP 3.1.2 Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2016-7999
20 Oct 2016 — ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action. Ecrire/exec/valider_xml.php en SPIP 3.1.2 y versiones anteriores permite a atacantes llevar a cabo ataques de SSRF a través de una URL en el parámetro var_url en una acción valider_xml. SPIP versions 3.1.2 and below suffer from a server-side request forgery vulnerability. • https://packetstorm.news/files/id/139240 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-7980 – SPIP 3.1.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2016-7980
19 Oct 2016 — Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code. Vulnerabilidad de CSRF en ecrire/exec/valider_xml.php en SPIP 3.1.2 y versiones anteriores permite a atacantes remotos secuestrar la autenticación de los admi... • https://packetstorm.news/files/id/139233 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 52%CPEs: 1EXPL: 1CVE-2016-7981 – SPIP 3.1.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-7981
19 Oct 2016 — Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action. Vulnerabilidad de XSS en valider_xml.php en SPIP 3.1.2 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro var_url en una acción valider_xml. SPIP versions 3.1.2 and below suffer from a cross site scripting vulnerability. • https://packetstorm.news/files/id/139234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 63EXPL: 0CVE-2016-3153 – Debian Security Advisory 3518-1
https://notcve.org/view.php?id=CVE-2016-3153
16 Mar 2016 — SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function. SPIP 2.x en versiones anteriore a 2.1.19, 3.0.x en versiones anteriores a 3.0.22 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos ejecutar código PHP arbitrario añadiendo contenido, relacionado con la función filtrer_entites. Several vulnerabilities were found in SPIP, a website engine for publishing, resultin... • http://www.debian.org/security/2016/dsa-3518 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 62EXPL: 0CVE-2016-3154 – Debian Security Advisory 3518-1
https://notcve.org/view.php?id=CVE-2016-3154
16 Mar 2016 — The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. La función encoder_contexte_ajax en ecrire/inc/filtres.php en SPIP 2.x en versiones anteriores a 2.1.19, 3.0.x en versiones anteriores a 3.0.22 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos llevar a cabo ataques de inyección de ob... • http://www.debian.org/security/2016/dsa-3518 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 52EXPL: 0CVE-2013-7303
https://notcve.org/view.php?id=CVE-2013-7303
30 Jan 2014 — Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field. Múltiples vulnerabilidades de XSS en (1) squelettes-dist/formulaires/inscription.php y (2) prive/forms/editer_auteur.php de SPIP anterior a la versión 2.1.25 y 3.0.x anterior a 3.0.13 permite a atacantes remotos inyectar script Web o HT... • http://core.spip.org/projects/spip/repository/revisions/20902 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4556
https://notcve.org/view.php?id=CVE-2013-4556
15 Nov 2013 — Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter. Vulnerabilidad de XSS en la página de autor (prive/formulaires/editer_auteur.php) de SPIP anterior a la versión 2.1.24 y 3.0.x anterior a 3.0.12 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro url_site. • http://core.spip.org/projects/spip/repository/revisions/20879 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 12EXPL: 1CVE-2013-4557
https://notcve.org/view.php?id=CVE-2013-4557
15 Nov 2013 — The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter. Security Screen (_core_/securite/ecran_securite.php) anterior a la versión 1.1.8 para SPIP, tal y como se usa en SPIP 3.0.x anterior a 3.0.12, permite a atacantes remotos ejecutar PHP arbitrario a través del parámetro connect. • http://secunia.com/advisories/55551 • CWE-94: Improper Control of Generation of Code ('Code Injection') •