CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2019-16394
https://notcve.org/view.php?id=CVE-2019-16394
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers. SPIP versiones anteriores a 3.1.11 y versiones 3.2 anteriores a 3.2.5, proporciona diferentes mensajes de error desde la página password-reminder dependiendo de si existe una dirección de correo electrónico, que podría ayudar a atacantes para enumerar suscriptores. • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html https://core.spip.net/issues/4171 https://lists.debian.org/debian-lts-announce/2019/10/msg00038.html https://seclists.org/bugtraq/2019/Sep/40 https://usn.ubuntu.com/4536-1 https://www.debian.org/security/2019/dsa-4532 https://zone.spip.net/trac/spip-zone/changeset/117577/spip-zone https://zone.spip.net/trac/spip-zone/changeset/117578/spip-zone • CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-11071
https://notcve.org/view.php?id=CVE-2019-11071
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled. SPIP 3.1 versiones anteriores a 3.1.10 y 3.2 versiones anteriores a 3.2.4 permite a los visitantes autentificados ejecutar código arbitrario en el servidor host porque var_memotri se maneja de forma inadecuada. • https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html https://github.com/spip/SPIP/commit/3ef87c525bc0768c926646f999a54222b37b5d36 https://github.com/spip/SPIP/commit/824d17f424bf77d17af89c18c3dc807a3199567e https://github.com/spip/SPIP/compare/1e3872c...9861a47 https://usn.ubuntu.com/4536-1 https://www.debian.org/security/2019/dsa-4429 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15736
https://notcve.org/view.php?id=CVE-2017-15736
Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php. Vulnerabilidad de Cross-Site Scripting (XSS) (persistente) en SPIP en versiones anteriores a la 3.1.7 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una cadena manipulada, tal y como demuestra un campo PGP, relacionado con prive/objets/contenu/auteur.html y ecrire/inc/texte_mini.php. • https://core.spip.net/projects/spip/repository/revisions/23701 https://usn.ubuntu.com/4536-1 https://www.debian.org/security/2018/dsa-4228 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 14EXPL: 0CVE-2017-9736
https://notcve.org/view.php?id=CVE-2017-9736
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. SPIP en versiones 3.1.x anteriores a la 3.1.6 y versiones 3.2.x anteriores a la Beta 3 no elimina los metacaracteres shell del campo host, lo que permite que un atacante remoto provoque la ejecución remota de código. • http://www.debian.org/security/2017/dsa-3890 https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta https://core.spip.net/projects/spip/repository/revisions/23593 https://core.spip.net/projects/spip/repository/revisions/23594 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9998
https://notcve.org/view.php?id=CVE-2016-9998
SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL. SPIP 3.1.x sufre de una vulnerabilidad de XSS reflectada en /ecrire/exec/info_plugin.php involucrando el parámetro `$plugin`, según lo demostrado por una URL /ecrire/?exec=info_plugin. • http://www.securityfocus.com/bid/95008 http://www.securitytracker.com/id/1037486 https://core.spip.net/projects/spip/repository/revisions/23288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •