CVE-2022-28959
Ubuntu Security Notice USN-7318-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.
MĂșltiples vulnerabilidades de tipo cross-site scripting (XSS) en el componente /spip.php de Spip Web Framework versiones v3.1.13 y anteriores, permite a atacantes ejecutar scripts web o HTML arbitrarios
It was discovered that svg-sanitizer, vendored in SPIP, did not properly sanitize SVG/XML content. An attacker could possibly use this issue to perform cross site scripting. This issue only affected Ubuntu 24.10. It was discovered that SPIP did not properly sanitize certain inputs. A remote attacker could possibly use this issue to perform cross site scripting. This issue only affected Ubuntu 18.04 LTS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-04-11 CVE Reserved
- 2022-05-19 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://www.root-me.org/fr/Informations/Faiblesses-decouvertes | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://thinkloveshare.com/en/hacking/rce_on_spip_and_root_me | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/spip/SPIP/commit/0394b44774555ae8331b6e65e35065dfa0bb41e4 | 2022-05-26 | |
| https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf | 2022-05-26 |
| URL | Date | SRC |
|---|---|---|
| https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-SPIP-3-2-8-et-SPIP-3-1-13.html | 2022-05-26 |