CVSS: 9.8EPSS: 0%CPEs: 63EXPL: 0CVE-2016-3153
https://notcve.org/view.php?id=CVE-2016-3153
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function. SPIP 2.x en versiones anteriore a 2.1.19, 3.0.x en versiones anteriores a 3.0.22 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos ejecutar código PHP arbitrario añadiendo contenido, relacionado con la función filtrer_entites. • http://www.debian.org/security/2016/dsa-3518 https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-1-SPIP-3-0-22-et-SPIP-2-1.html?lang=fr https://core.spip.net/projects/spip/repository/revisions/22911 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 62EXPL: 0CVE-2016-3154
https://notcve.org/view.php?id=CVE-2016-3154
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. La función encoder_contexte_ajax en ecrire/inc/filtres.php en SPIP 2.x en versiones anteriores a 2.1.19, 3.0.x en versiones anteriores a 3.0.22 y 3.1.x en versiones anteriores a 3.1.1 permite a atacantes remotos llevar a cabo ataques de inyección de objeto PHP y ejecutar código PHP arbitrario a través de un objeto serializado manipulado. • http://www.debian.org/security/2016/dsa-3518 https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-1-SPIP-3-0-22-et-SPIP-2-1.html?lang=fr https://core.spip.net/projects/spip/repository/revisions/22903 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 52EXPL: 0CVE-2013-7303
https://notcve.org/view.php?id=CVE-2013-7303
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field. Múltiples vulnerabilidades de XSS en (1) squelettes-dist/formulaires/inscription.php y (2) prive/forms/editer_auteur.php de SPIP anterior a la versión 2.1.25 y 3.0.x anterior a 3.0.13 permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de nombre de autor. • http://core.spip.org/projects/spip/repository/revisions/20902 http://seclists.org/oss-sec/2014/q1/123 http://seclists.org/oss-sec/2014/q1/128 http://secunia.com/advisories/56381 http://www.securitytracker.com/id/1029703 http://www.spip.net/fr_article5648.html http://www.spip.net/fr_article5665.html http://zone.spip.org/trac/spip-zone/changeset/77768 https://exchange.xforce.ibmcloud.com/vulnerabilities/90643 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 46EXPL: 1CVE-2013-4555
https://notcve.org/view.php?id=CVE-2013-4555
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors. Vulnerabilidad de CSRF en ecrire/action/logout.php de SPIP anterior a la versión 2.1.24 permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios por solicitudes que cierren la sesión del usuario a través de vectores sin especificar. • http://core.spip.org/projects/spip/repository/revisions/20874 http://secunia.com/advisories/55551 http://www.openwall.com/lists/oss-security/2013/11/10/4 http://www.securitytracker.com/id/1029317 http://www.spip.net/fr_article5646.html https://www.debian.org/security/2013/dsa-2794 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 58EXPL: 0CVE-2013-4556
https://notcve.org/view.php?id=CVE-2013-4556
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter. Vulnerabilidad de XSS en la página de autor (prive/formulaires/editer_auteur.php) de SPIP anterior a la versión 2.1.24 y 3.0.x anterior a 3.0.12 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro url_site. • http://core.spip.org/projects/spip/repository/revisions/20879 http://core.spip.org/projects/spip/repository/revisions/20880 http://secunia.com/advisories/55551 http://www.openwall.com/lists/oss-security/2013/11/10/4 http://www.securitytracker.com/id/1029317 http://www.spip.net/fr_article5646.html http://www.spip.net/fr_article5648.html https://www.debian.org/security/2013/dsa-2794 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •