CVE-2019-16393 — Open Redirect in Spip

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 38.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedSep 17

Latest updateMay 24

Description

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

▶NVDspip/spip3.2.0 — 3.2.5+1

▶debiandebian/spip< spip 3.2.5-1 (bullseye)

▶Debianspip/spip< 3.2.5-1+2

▶Ubuntuspip/spip< 3.1.4-4~deb9u3build0.18.04.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 18.04

GHSA

GHSA-qgm5-36jw-p76q: SPIP before 3↗2022-05-24

▶

OSV

spip vulnerabilities↗2020-09-24

▶

OSV

CVE-2019-16393: SPIP before 3↗2019-09-17

▶

Ubuntu

SPIP vulnerabilities↗2020-09-24

▶

Debian

CVE-2019-16393: spip - SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/h...↗2019

▶