Vendor CVEs
Spip
All CVEs
78 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-37155 | 0.00 | — | 0.40 | Dec 13, 2022 | RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter. | |||
| CVE-2022-28961 | 0.00 | — | 0.02 | May 19, 2022 | Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters. | |||
| CVE-2022-28960 | 0.00 | — | 0.02 | May 19, 2022 | A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire. | |||
| CVE-2022-28959 | 0.00 | — | 0.01 | May 19, 2022 | Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2022-26846 | 0.00 | — | 0.03 | Mar 10, 2022 | SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code. | |||
| CVE-2022-26847 | 0.00 | — | 0.01 | Mar 10, 2022 | SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects. | |||
| CVE-2021-44123 | 0.00 | — | 0.02 | Jan 26, 2022 | SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it. | |||
| CVE-2021-44122 | 0.00 | — | 0.00 | Jan 26, 2022 | SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is… | |||
| CVE-2021-44120 | 0.00 | — | 0.01 | Jan 26, 2022 | SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes… | |||
| CVE-2021-44118 | 0.00 | — | 0.01 | Jan 26, 2022 | SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by… | |||
| CVE-2020-28984 | 0.00 | — | 0.02 | Nov 23, 2020 | prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters. | |||
| CVE-2019-19830 | 0.00 | — | 0.01 | Dec 17, 2019 | _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. | |||
| CVE-2019-16391 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php. | |||
| CVE-2019-16392 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. | |||
| CVE-2019-16393 | 0.00 | — | 0.01 | Sep 17, 2019 | SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | |||
| CVE-2019-11071 | 0.00 | — | 0.03 | Apr 10, 2019 | SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled. | |||
| CVE-2013-7303 | 0.00 | — | 0.02 | Jan 30, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field. | |||
| CVE-2013-4556 | 0.00 | — | 0.02 | Nov 18, 2013 | Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter. | |||
| CVE-2013-4555 | 0.00 | — | 0.01 | Nov 18, 2013 | Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors. | |||
| CVE-2012-4331 | 0.00 | — | 0.01 | Aug 14, 2012 | Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151. | |||
| CVE-2012-2151 | 0.00 | — | 0.02 | Aug 14, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-5813 | 0.00 | — | 0.01 | Jan 2, 2009 | SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-5812 | 0.00 | — | 0.02 | Jan 2, 2009 | Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors. | |||
| CVE-2007-4525 | 0.00 | — | 0.02 | Aug 25, 2007 | PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers,… | |||
| CVE-2006-1295 | 0.00 | — | 0.01 | Mar 19, 2006 | Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter. | |||
| CVE-2006-0519 | 0.00 | — | 0.02 | Feb 2, 2006 | SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message. | |||
| CVE-2006-0517 | 0.00 | — | 0.03 | Feb 2, 2006 | Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3;… | |||
| CVE-2005-4494 | 0.00 | — | 0.01 | Dec 22, 2005 | Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3. |
- CVE-2022-37155Dec 13, 2022risk 0.00cvss —epss 0.40
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
- CVE-2022-28961May 19, 2022risk 0.00cvss —epss 0.02
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.
- CVE-2022-28960May 19, 2022risk 0.00cvss —epss 0.02
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
- CVE-2022-28959May 19, 2022risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.
- CVE-2022-26846Mar 10, 2022risk 0.00cvss —epss 0.03
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
- CVE-2022-26847Mar 10, 2022risk 0.00cvss —epss 0.01
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.
- CVE-2021-44123Jan 26, 2022risk 0.00cvss —epss 0.02
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
- CVE-2021-44122Jan 26, 2022risk 0.00cvss —epss 0.00
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is…
- CVE-2021-44120Jan 26, 2022risk 0.00cvss —epss 0.01
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes…
- CVE-2021-44118Jan 26, 2022risk 0.00cvss —epss 0.01
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by…
- CVE-2020-28984Nov 23, 2020risk 0.00cvss —epss 0.02
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
- CVE-2019-19830Dec 17, 2019risk 0.00cvss —epss 0.01
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
- CVE-2019-16391Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
- CVE-2019-16392Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
- CVE-2019-16393Sep 17, 2019risk 0.00cvss —epss 0.01
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
- CVE-2019-11071Apr 10, 2019risk 0.00cvss —epss 0.03
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
- CVE-2013-7303Jan 30, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.
- CVE-2013-4556Nov 18, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.
- CVE-2013-4555Nov 18, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.
- CVE-2012-4331Aug 14, 2012risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
- CVE-2012-2151Aug 14, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-5813Jan 2, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-5812Jan 2, 2009risk 0.00cvss —epss 0.02
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.
- CVE-2007-4525Aug 25, 2007risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers,…
- CVE-2006-1295Mar 19, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in recherche.php3 in SPIP 1.8.2-g allows remote attackers to inject arbitrary web script or HTML via the recherche parameter.
- CVE-2006-0519Feb 2, 2006risk 0.00cvss —epss 0.02
SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allows remote attackers to obtain sensitive information via a direct request to inc-messforum.php3, which reveals the path in an error message.
- CVE-2006-0517Feb 2, 2006risk 0.00cvss —epss 0.03
Multiple SQL injection vulnerabilities in formulaires/inc-formulaire_forum.php3 in SPIP 1.8.2-e and earlier and 1.9 Alpha 2 (5539) and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id_forum, (2) id_article, or (3) id_breve parameters to forum.php3;…
- CVE-2005-4494Dec 22, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3.
Page 2 of 2