Spip
by Spip
Source repositories
CVEs (78)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28984 | 0.00 | — | 0.02 | Nov 23, 2020 | prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters. | |||
| CVE-2019-19830 | 0.00 | — | 0.01 | Dec 17, 2019 | _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. | |||
| CVE-2019-16391 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php. | |||
| CVE-2019-16392 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. | |||
| CVE-2019-16393 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | |||
| CVE-2019-11071 | 0.00 | — | 0.03 | Apr 10, 2019 | SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled. | |||
| CVE-2013-7303 | 0.00 | — | 0.02 | Jan 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field. | |||
| CVE-2013-4556 | 0.00 | — | 0.02 | Nov 18, 2013 | Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter. | |||
| CVE-2013-4555 | 0.00 | — | 0.01 | Nov 18, 2013 | Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors. | |||
| CVE-2012-4331 | 0.00 | — | 0.01 | Aug 14, 2012 | Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151. | |||
| CVE-2012-2151 | 0.00 | — | 0.02 | Aug 14, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-5813 | 0.00 | — | 0.01 | Jan 2, 2009 | SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-5812 | 0.00 | — | 0.02 | Jan 2, 2009 | Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors. | |||
| CVE-2007-4525 | 0.00 | — | 0.02 | Aug 25, 2007 | PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers,… | |||
| CVE-2006-1295 | 0.00 | — | 0.01 | Mar 19, 2006 | Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter. | |||
| CVE-2006-0519 | 0.00 | — | 0.02 | Feb 2, 2006 | SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message. | |||
| CVE-2006-0517 | 0.00 | — | 0.03 | Feb 2, 2006 | Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3;… | |||
| CVE-2005-4494 | 0.00 | — | 0.01 | Dec 22, 2005 | Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3. |
- CVE-2020-28984Nov 23, 2020risk 0.00cvss —epss 0.02
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
- CVE-2019-19830Dec 17, 2019risk 0.00cvss —epss 0.01
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
- CVE-2019-16391Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
- CVE-2019-16392Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
- CVE-2019-16393Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
- CVE-2019-11071Apr 10, 2019risk 0.00cvss —epss 0.03
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
- CVE-2013-7303Jan 30, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.
- CVE-2013-4556Nov 18, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.
- CVE-2013-4555Nov 18, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.
- CVE-2012-4331Aug 14, 2012risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
- CVE-2012-2151Aug 14, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-5813Jan 2, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5812Jan 2, 2009risk 0.00cvss —epss 0.02
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.
- CVE-2007-4525Aug 25, 2007risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers,…
- CVE-2006-1295Mar 19, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter.
- CVE-2006-0519Feb 2, 2006risk 0.00cvss —epss 0.02
SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message.
- CVE-2006-0517Feb 2, 2006risk 0.00cvss —epss 0.03
Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3;…
- CVE-2005-4494Dec 22, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3.
Page 4 of 4