CVE-2021-44122Cross-Site Request Forgery in Spip

CWE-352Cross-Site Request Forgery8 documents5 sources
Severity
8.8HIGHNVD
OSV9.8
EPSS
0.2%
top 55.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SpipDebian Spip
Timeline
PublishedJan 26
Latest updateMar 2

Description

SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

debiandebian/spip< spip 3.2.11-3+deb11u1 (bullseye)
Debianspip/spip< 3.2.11-3+deb11u1+2
Ubuntuspip/spip< 3.1.4-4~deb9u5build0.18.04.1+1
NVDspip/spip4.0.0

Patches

Patch: git.spip.netPatch: git.spip.net

🔴Vulnerability Details

4
OSV
spip vulnerabilities2023-03-02
OSV
spip vulnerabilities2022-06-16
GHSA
GHSA-fv46-9fmf-2p7g: SPIP 42022-01-27
OSV
CVE-2021-44122: SPIP 42022-01-26

📋Vendor Advisories

3
Ubuntu
SPIP vulnerabilities2023-03-02
Ubuntu
SPIP vulnerabilities2022-06-16
Debian
CVE-2021-44122: spip - SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in e...2021