CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2151
https://notcve.org/view.php?id=CVE-2012-2151
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en SPIP v1.9.x antes de v1.9.2.o, v2.0.x antes de v2.0.18, y v2.1.x antes de v2.1.13 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://archives.rezo.net/archives/spip-en.mbox/U5QUZ6WJRAJC7H5BR7W5SQG6WCD3PXL7 http://secunia.com/advisories/48939 http://www.debian.org/security/2012/dsa-2461 http://www.openwall.com/lists/oss-security/2012/04/30/4 http://www.openwall.com/lists/oss-security/2012/05/01/4 http://www.osvdb.org/81473 http://www.securityfocus.com/bid/53216 http://www.securitytracker.com/id?1026970 https://exchange.xforce.ibmcloud.com/vulnerabilities/75104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-4331
https://notcve.org/view.php?id=CVE-2012-4331
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151. Múltiples vulnerabilidades no especificadas en SPIP antes de v1.9.2.o, v2.0.x antes de v2.0.18 y v2.1.x antes de v2.1.13 tienen un impacto desconocido y vectores de ataque que no están relacionados con secuencias de comandos entre sitios (XSS). Se trata de vulnerabilidades diferentes a las de CVE-2012-2151. • http://archives.rezo.net/archives/spip-en.mbox/U5QUZ6WJRAJC7H5BR7W5SQG6WCD3PXL7 http://www.securitytracker.com/id?1026970 •
CVSS: 7.5EPSS: 7%CPEs: 18EXPL: 2CVE-2009-3041 – SPIP < 2.0.9 - Arbitrary Copy All Passwords to '.XML' File
https://notcve.org/view.php?id=CVE-2009-3041
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009. SPIP v1.9 anterior v1.9.2i y v2.0.x hasta 2.0.8 no usa propiedades de control de acceso para 1) ecrire/exec/install.php y(2) ecrire/index.php, permitiendo a atacantes remotos dirigir actividades no autorizadas relacionadas con la instalación y copias de seguridad, tal como se ha explotado en Agosto de 2009. • https://www.exploit-db.com/exploits/9448 http://fil.rezo.net/secu-14346-14350+14354.patch http://secunia.com/advisories/36365 http://www.securityfocus.com/bid/36008 http://www.spip-contrib.net/SPIP-Security-Alert-new-version https://exchange.xforce.ibmcloud.com/vulnerabilities/52381 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 18EXPL: 0CVE-2008-5812
https://notcve.org/view.php?id=CVE-2008-5812
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors. Múltiples vulnerabilidades no especificadas en SPIP v1.8 anteriores a v1.8.3b, 1.9 anteriores a v1.9.2g y v2.0 anteriores a v2.0.2 tienen un impacto y vectores de ataque desconocidos. • http://secunia.com/advisories/33307 http://www.securityfocus.com/bid/33061 http://www.spip-contrib.net/SPIP-1-8-3b-1-9-2g-2-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/47695 •
CVSS: 7.5EPSS: 0%CPEs: 18EXPL: 0CVE-2008-5813
https://notcve.org/view.php?id=CVE-2008-5813
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en inc/rubriques.php en SPIP v1.8 anteriores a v1.8.3b, v1.9 anteriores a v1.9.2g, y v2.0 anteriores a v2.0.2 permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "ID". NOTA: algunos de los detalles han sido obtenidos a partir de la información de terceros. • http://secunia.com/advisories/33307 http://www.securityfocus.com/bid/33021 http://www.securityfocus.com/bid/33061 http://www.spip-contrib.net/SPIP-1-8-3b-1-9-2g-2-2 https://exchange.xforce.ibmcloud.com/vulnerabilities/47626 https://exchange.xforce.ibmcloud.com/vulnerabilities/47695 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •