CVE-2017-15736 — Cross-site Scripting in Spip

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 55.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedOct 22

Latest updateMay 13

Description

Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/spip< spip 3.1.4-4 (bullseye)

▶Debianspip/spip< 3.1.4-4+2

▶Ubuntuspip/spip< 3.1.4-4~deb9u3build0.18.04.1

▶NVDspip/spip3.1.6

🔴Vulnerability Details

GHSA

GHSA-mfv3-xjr8-9xpg: Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3↗2022-05-13

▶

OSV

spip vulnerabilities↗2020-09-24

▶

OSV

CVE-2017-15736: Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3↗2017-10-22

▶

📋Vendor Advisories

Ubuntu

SPIP vulnerabilities↗2020-09-24

▶

Debian

CVE-2017-15736: spip - Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows re...↗2017

▶