CVSS: 6.1EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4556
https://notcve.org/view.php?id=CVE-2013-4556
15 Nov 2013 — Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter. Vulnerabilidad de XSS en la página de autor (prive/formulaires/editer_auteur.php) de SPIP anterior a la versión 2.1.24 y 3.0.x anterior a 3.0.12 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro url_site. • http://core.spip.org/projects/spip/repository/revisions/20879 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 12EXPL: 1CVE-2013-4557
https://notcve.org/view.php?id=CVE-2013-4557
15 Nov 2013 — The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter. Security Screen (_core_/securite/ecran_securite.php) anterior a la versión 1.1.8 para SPIP, tal y como se usa en SPIP 3.0.x anterior a 3.0.12, permite a atacantes remotos ejecutar PHP arbitrario a través del parámetro connect. • http://secunia.com/advisories/55551 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 46EXPL: 1CVE-2013-4555
https://notcve.org/view.php?id=CVE-2013-4555
15 Nov 2013 — Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors. Vulnerabilidad de CSRF en ecrire/action/logout.php de SPIP anterior a la versión 2.1.24 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios por solicitudes que cierren la sesión del usuario a través de vectores sin especificar. • http://core.spip.org/projects/spip/repository/revisions/20874 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 12%CPEs: 53EXPL: 1CVE-2013-2118 – SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2013-2118
09 Jul 2013 — SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php. SPIP v3.0.x anteriores a v3.0.9, v2.1.x anteriores a v2.1.22, y v2.0.x anteriores a v2.0.23 permiten a atacantes remotos obtener privilegios y tomar control editorial" a través de vectores relacionados con ecrire/inc/filtres.php. • https://www.exploit-db.com/exploits/33425 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2151
https://notcve.org/view.php?id=CVE-2012-2151
14 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en SPIP v1.9.x antes de v1.9.2.o, v2.0.x antes de v2.0.18, y v2.1.x antes de v2.1.13 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://archives.rezo.net/archives/spip-en.mbox/U5QUZ6WJRAJC7H5BR7W5SQG6WCD3PXL7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-4331
https://notcve.org/view.php?id=CVE-2012-4331
14 Aug 2012 — Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151. Múltiples vulnerabilidades no especificadas en SPIP antes de v1.9.2.o, v2.0.x antes de v2.0.18 y v2.1.x antes de v2.1.13 tienen un impacto desconocido y vectores de ataque que no están relacionados con secuencias de comandos entre sitios (XSS). Se trata de vulnerabilid... • http://archives.rezo.net/archives/spip-en.mbox/U5QUZ6WJRAJC7H5BR7W5SQG6WCD3PXL7 •
CVSS: 9.1EPSS: 3%CPEs: 18EXPL: 2CVE-2009-3041 – SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File
https://notcve.org/view.php?id=CVE-2009-3041
01 Sep 2009 — SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009. SPIP v1.9 anterior v1.9.2i y v2.0.x hasta 2.0.8 no usa propiedades de control de acceso para 1) ecrire/exec/install.php y(2) ecrire/index.php, permitiendo a atacantes remotos dirigir actividades no autorizadas relacionadas con la... • https://www.exploit-db.com/exploits/9448 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 18EXPL: 0CVE-2008-5812
https://notcve.org/view.php?id=CVE-2008-5812
02 Jan 2009 — Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en SPIP v1.8 anteriores a v1.8.3b, 1.9 anteriores a v1.9.2g y v2.0 anteriores a v2.0.2 tienen un impacto y vectores de ataque desconocidos. • http://secunia.com/advisories/33307 •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2008-5813
https://notcve.org/view.php?id=CVE-2008-5813
02 Jan 2009 — SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en inc/rubriques.php en SPIP v1.8 anteriores a v1.8.3b, v1.9 anteriores a v1.9.2g, y v2.0 anteriores a v2.0.2 permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "ID". NOTA: algu... • http://secunia.com/advisories/33307 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4525
https://notcve.org/view.php?id=CVE-2007-4525
25 Aug 2007 — PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers, stating that the squelette_cache variable is initialized before use, and is only used within the scope of a function ** EN DISPUTA ** Vulnerabilidad de inclusión remota de archivo en PHP en inc-calcul.php3 de SPIP versión 1.7.2 permite a a... • http://securityreason.com/securityalert/3056 • CWE-94: Improper Control of Generation of Code ('Code Injection') •