CVE-2021-44120 — Cross-site Scripting in Spip

CWE-79 — Cross-site Scripting8 documents5 sources

Severity

5.4MEDIUMNVD

OSV9.8

EPSS

0.4%

top 40.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedJan 26

Latest updateMar 2

Description

SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The "Who are you" and "Website Name" fields are vulnerable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/spip< spip 3.2.11-3+deb11u1 (bullseye)

▶Debianspip/spip< 3.2.11-3+deb11u1+2

▶Ubuntuspip/spip< 3.1.4-4~deb9u5build0.18.04.1+1

▶NVDspip/spip4.0.0

Patches

Patch: git.spip.net ↗Patch: git.spip.net ↗

🔴Vulnerability Details

OSV

spip vulnerabilities↗2023-03-02

▶

OSV

spip vulnerabilities↗2022-06-16

▶

GHSA

GHSA-2v2h-p3pv-rrr5: SPIP 4↗2022-01-27

▶

OSV

CVE-2021-44120: SPIP 4↗2022-01-26

▶

📋Vendor Advisories

Ubuntu

SPIP vulnerabilities↗2023-03-02

▶

Ubuntu

SPIP vulnerabilities↗2022-06-16

▶

Debian

CVE-2021-44120: spip - SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/p...↗2021

▶