Page 4 of 26 results (0.016 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php. Vulnerabilidad de Cross-Site Scripting (XSS) (persistente) en SPIP en versiones anteriores a la 3.1.7 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante una cadena manipulada, tal y como demuestra un campo PGP, relacionado con prive/objets/contenu/auteur.html y ecrire/inc/texte_mini.php. • https://core.spip.net/projects/spip/repository/revisions/23701 https://usn.ubuntu.com/4536-1 https://www.debian.org/security/2018/dsa-4228 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 2%CPEs: 14EXPL: 0

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. SPIP en versiones 3.1.x anteriores a la 3.1.6 y versiones 3.2.x anteriores a la Beta 3 no elimina los metacaracteres shell del campo host, lo que permite que un atacante remoto provoque la ejecución remota de código. • http://www.debian.org/security/2017/dsa-3890 https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta https://core.spip.net/projects/spip/repository/revisions/23593 https://core.spip.net/projects/spip/repository/revisions/23594 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0

SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL. SPIP 3.1.x sufre de una vulnerabilidad de XSS reflectada en /ecrire/exec/puce_statut.php involucrando el parámetro `$id`, según lo demostrado por una URL /ecrire/?exec=puce_statut. • http://www.securityfocus.com/bid/95008 http://www.securitytracker.com/id/1037486 https://core.spip.net/projects/spip/repository/revisions/23288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 0

SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL. SPIP 3.1.x sufre de una vulnerabilidad de XSS reflectada en /ecrire/exec/info_plugin.php involucrando el parámetro `$plugin`, según lo demostrado por una URL /ecrire/?exec=info_plugin. • http://www.securityfocus.com/bid/95008 http://www.securitytracker.com/id/1037486 https://core.spip.net/projects/spip/repository/revisions/23288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action. Ecrire/exec/valider_xml.php en SPIP 3.1.2 y versiones anteriores permite a atacantes llevar a cabo ataques de SSRF a través de una URL en el parámetro var_url en una acción valider_xml. SPIP versions 3.1.2 and below suffer from a server-side request forgery vulnerability. • http://www.openwall.com/lists/oss-security/2016/10/05/17 http://www.openwall.com/lists/oss-security/2016/10/07/5 http://www.openwall.com/lists/oss-security/2016/10/08/6 http://www.openwall.com/lists/oss-security/2016/10/12/10 http://www.securityfocus.com/bid/93451 https://core.spip.net/projects/spip/repository/revisions/23188 https://core.spip.net/projects/spip/repository/revisions/23193 https://sysdream.com/news/lab/2016-10-19-spip-3-1-2-server-side • CWE-918: Server-Side Request Forgery (SSRF) •