Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Spip
(Spip)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 52 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2007-08-25 | CVE-2007-4525 | PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers, stating that the squelette_cache variable is initialized before use, and is only used within the scope of a function | Spip | N/A | ||
| 2024-01-04 | CVE-2023-52322 | ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics. | Spip | 6.1 | ||
| 2024-01-19 | CVE-2024-23659 | SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js. | Spip | 6.1 | ||
| 2022-05-19 | CVE-2022-28960 | A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire. | Spip | 8.8 | ||
| 2023-02-28 | CVE-2023-27372 | SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. | Debian_linux, Spip | 9.8 | ||
| 2023-02-27 | CVE-2023-24258 | SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request. | Spip | 9.8 | ||
| 2019-09-17 | CVE-2019-16391 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php. | Ubuntu_linux, Debian_linux, Spip | 6.5 | ||
| 2019-09-17 | CVE-2019-16392 | SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages. | Ubuntu_linux, Debian_linux, Spip | 6.1 | ||
| 2019-09-17 | CVE-2019-16393 | SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character. | Ubuntu_linux, Debian_linux, Spip | 6.1 | ||
| 2022-12-14 | CVE-2022-37155 | RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter. | Spip | 8.8 |