This CPE summary could be partial or incomplete. Please contact us for a detailed listing.


Vendor Spip First view 2017-06-17
Product Spip Last view 2020-11-23
Version 3.1.4 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
CPE Product cpe:2.3:a:spip:spip

Activity : Overall

Related : CVE

  Date Alert Description
9.8 2020-11-23 CVE-2020-28984

prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.

6.5 2019-12-17 CVE-2019-19830

_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.

5.3 2019-09-17 CVE-2019-16394

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

6.1 2019-09-17 CVE-2019-16393

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

6.1 2019-09-17 CVE-2019-16392

SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.

6.5 2019-09-17 CVE-2019-16391

SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.

8.8 2019-04-10 CVE-2019-11071

SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

6.1 2017-10-22 CVE-2017-15736

Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.

9.8 2017-06-17 CVE-2017-9736

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

CWE : Common Weakness Enumeration

28% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
28% (2) CWE-20 Improper Input Validation
14% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
14% (1) CWE-200 Information Exposure
14% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...

Nessus® Vulnerability Scanner

id Description
2018-06-15 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4228.nasl - Type: ACT_GATHER_INFO
2017-06-22 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3890.nasl - Type: ACT_GATHER_INFO