VYPR

Vendor CVEs

Spip

All CVEs

78 total · sorted by risk
  • CVE-2022-37155Dec 13, 2022
    risk 0.00cvss epss 0.40

    RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.

  • CVE-2022-28961May 19, 2022
    risk 0.00cvss epss 0.02

    Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.

  • CVE-2022-28960May 19, 2022
    risk 0.00cvss epss 0.02

    A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.

  • CVE-2022-28959May 19, 2022
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2022-26846Mar 10, 2022
    risk 0.00cvss epss 0.03

    SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

  • CVE-2022-26847Mar 10, 2022
    risk 0.00cvss epss 0.01

    SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.

  • CVE-2021-44123Jan 26, 2022
    risk 0.00cvss epss 0.02

    SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.

  • CVE-2021-44122Jan 26, 2022
    risk 0.00cvss epss 0.00

    SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is…

  • CVE-2021-44120Jan 26, 2022
    risk 0.00cvss epss 0.01

    SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes…

  • CVE-2021-44118Jan 26, 2022
    risk 0.00cvss epss 0.01

    SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by…

  • CVE-2020-28984Nov 23, 2020
    risk 0.00cvss epss 0.02

    prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.

  • CVE-2019-19830Dec 17, 2019
    risk 0.00cvss epss 0.01

    _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.

  • CVE-2019-16391Sep 17, 2019
    risk 0.00cvss epss 0.01

    SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.

  • CVE-2019-16392Sep 17, 2019
    risk 0.00cvss epss 0.01

    SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.

  • CVE-2019-16393Sep 17, 2019
    risk 0.00cvss epss 0.01

    SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

  • CVE-2019-11071Apr 10, 2019
    risk 0.00cvss epss 0.03

    SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

  • CVE-2013-7303Jan 30, 2014
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.

  • CVE-2013-4556Nov 18, 2013
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.

  • CVE-2013-4555Nov 18, 2013
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.

  • CVE-2012-4331Aug 14, 2012
    risk 0.00cvss epss 0.01

    Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.

  • CVE-2012-2151Aug 14, 2012
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2008-5813Jan 2, 2009
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2008-5812Jan 2, 2009
    risk 0.00cvss epss 0.02

    Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.

  • CVE-2007-4525Aug 25, 2007
    risk 0.00cvss epss 0.02

    PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers,…

  • CVE-2006-1295Mar 19, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter.

  • CVE-2006-0519Feb 2, 2006
    risk 0.00cvss epss 0.02

    SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message.

  • CVE-2006-0517Feb 2, 2006
    risk 0.00cvss epss 0.03

    Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3;…

  • CVE-2005-4494Dec 22, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3.

Page 2 of 2