Spip
By the Year
In 2024 there have been 2 vulnerabilities in Spip with an average score of 6.1 out of ten. Last year Spip had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Spip in 2024 could surpass last years number. Last year, the average CVE base score was greater by 3.70
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 2 | 6.10 |
| 2023 | 2 | 9.80 |
| 2022 | 10 | 7.50 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 9.80 |
| 2019 | 6 | 6.55 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Spip vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Spip Security Vulnerabilities
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file
CVE-2024-23659
6.1 - Medium
- January 19, 2024
SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.
XSS
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7
CVE-2023-52322
6.1 - Medium
- January 04, 2024
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
XSS
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled
CVE-2023-27372
9.8 - Critical
- February 28, 2023
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter
CVE-2023-24258
9.8 - Critical
- February 27, 2023
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
SQL Injection
RCE in SPIP 3.1.13 through 4.1.2
CVE-2022-37155
8.8 - High
- December 14, 2022
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire
CVE-2022-28961
8.8 - High
- May 19, 2022
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.
SQL Injection
A PHP injection vulnerability in Spip before v3.2.8
CVE-2022-28960
8.8 - High
- May 19, 2022
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
Output Sanitization
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below
CVE-2022-28959
6.1 - Medium
- May 19, 2022
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.
XSS
SPIP before 3.2.14 and 4.x before 4.0.5
CVE-2022-26846
8.8 - High
- March 10, 2022
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
SPIP before 3.2.14 and 4.x before 4.0.5
CVE-2022-26847
5.3 - Medium
- March 10, 2022
SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.
Information Disclosure
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php
CVE-2021-44120
5.4 - Medium
- January 26, 2022
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The "Who are you" and "Website Name" fields are vulnerable.
XSS
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability
CVE-2021-44118
5.4 - Medium
- January 26, 2022
SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users (stored XSS).
XSS
SPIP 4.0.0 is affected by a remote command execution vulnerability
CVE-2021-44123
8.8 - High
- January 26, 2022
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
Unrestricted File Upload
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php
CVE-2021-44122
8.8 - High
- January 26, 2022
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).
Session Riding
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur
CVE-2020-28984
9.8 - Critical
- November 23, 2020
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
_core_/plugins/medias in SPIP 3.2.x before 3.2.7
CVE-2019-19830
6.5 - Medium
- December 17, 2019
_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.
SPIP before 3.1.11 and 3.2 before 3.2.5
CVE-2019-16391
6.5 - Medium
- September 17, 2019
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages
CVE-2019-16394
5.3 - Medium
- September 17, 2019
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.
Side Channel Attack
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D
CVE-2019-16393
6.1 - Medium
- September 17, 2019
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
Open Redirect
SPIP before 3.1.11 and 3.2 before 3.2.5
CVE-2019-16392
6.1 - Medium
- September 17, 2019
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
XSS
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4
CVE-2019-11071
8.8 - High
- April 10, 2019
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
Improper Input Validation
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2
CVE-2007-4525
- August 25, 2007
PHP remote file inclusion vulnerability in inc-calcul.php3 in SPIP 1.7.2 allows remote attackers to execute arbitrary PHP code via a URL in the squelette_cache parameter, a different vector than CVE-2006-1702. NOTE: this issue has been disputed by third party researchers, stating that the squelette_cache variable is initialized before use, and is only used within the scope of a function
Code Injection
