This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Spip First view 2005-12-22
Product Spip Last view 2019-12-17
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:spip:spip:2.0.0:*:*:*:*:*:*:* 21
cpe:2.3:a:spip:spip:2.0.1:*:*:*:*:*:*:* 21
cpe:2.3:a:spip:spip:1.8.3:*:*:*:*:*:*:* 21
cpe:2.3:a:spip:spip:1.8.2:*:*:*:*:*:*:* 21
cpe:2.3:a:spip:spip:1.8.2g:*:*:*:*:*:*:* 21
cpe:2.3:a:spip:spip:1.8.1:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b2:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b5:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b4:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b1:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b3:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8b6:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8.2b:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:1.8.2e:*:*:*:*:*:*:* 20
cpe:2.3:a:spip:spip:2.0.2:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.8:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:1.9.alpha1:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.7:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.5:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.3:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.4:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:2.0.6:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:1.9.2:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:1.7.2:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:1.8.2d:*:*:*:*:*:*:* 19
cpe:2.3:a:spip:spip:1.9.1:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:1.9:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:1.9_alpha2_5539:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.22:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.4:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.9:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.10:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:3.0.5:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:3.0.8:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.13:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:3.0.2:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.7:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.12:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.11:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:3.0.1:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.13:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.14:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:3.0.3:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.16:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.3:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.12:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.6:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.0.17:*:*:*:*:*:*:* 18
cpe:2.3:a:spip:spip:2.1.14:*:*:*:*:*:*:* 18

Related : CVE

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
6.5 2019-12-17 CVE-2019-19830

_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database.

5.3 2019-09-17 CVE-2019-16394

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

6.1 2019-09-17 CVE-2019-16393

SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

6.1 2019-09-17 CVE-2019-16392

SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.

6.5 2019-09-17 CVE-2019-16391

SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.

8.8 2019-04-10 CVE-2019-11071

SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

6.1 2017-10-22 CVE-2017-15736

Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php.

9.8 2017-06-17 CVE-2017-9736

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

7.4 2017-01-18 CVE-2016-7999

ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

8.8 2017-01-18 CVE-2016-7998

The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.

7.5 2017-01-18 CVE-2016-7982

Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.

6.1 2017-01-18 CVE-2016-7981

Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.

8.8 2017-01-18 CVE-2016-7980

Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.

6.1 2016-12-16 CVE-2016-9998

SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.

6.1 2016-12-16 CVE-2016-9997

SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.

6.1 2016-12-05 CVE-2016-9152

Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter.

9.8 2016-04-08 CVE-2016-3154

The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.

9.8 2016-04-08 CVE-2016-3153

SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

4.3 2014-01-30 CVE-2013-7303

Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.

7.5 2013-11-17 CVE-2013-4557

The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.

4.3 2013-11-17 CVE-2013-4556

Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.

6.8 2013-11-17 CVE-2013-4555

Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.

7.5 2013-07-09 CVE-2013-2118

SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.

10 2012-08-14 CVE-2012-4331

Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.

4.3 2012-08-14 CVE-2012-2151

Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CWE : Common Weakness Enumeration

%idName
37% (9) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
16% (4) CWE-94 Failure to Control Generation of Code ('Code Injection')
12% (3) CWE-20 Improper Input Validation
8% (2) CWE-352 Cross-Site Request Forgery (CSRF)
4% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
4% (1) CWE-264 Permissions, Privileges, and Access Controls
4% (1) CWE-200 Information Exposure
4% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
4% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...
4% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

Oval Markup Language : Definitions

OvalID Name
oval:org.mitre.oval:def:18470 DSA-2461-1 spip - several
oval:org.mitre.oval:def:19736 DSA-2694-1 spip - privilege escalation
oval:org.mitre.oval:def:19919 DSA-2794-1 spip - several

Open Source Vulnerability Database (OSVDB)

id Description
76183 SPIP CMS Unspecified SQL Injection
57510 SPIP Database Backup Unspecified Authentication Bypass
51140 SPIP inc/rubriques.php ID Parameter SQL Injection
51137 SPIP Multiple Unspecified Issues
38443 SPIP inc-calcul.php3 squelette_cache Parameter Remote File Inclusion
31035 SPIP recherche.php3 recherche Parameter XSS
24630 SPIP spip_login.php3 url Variable Arbitrary Site Redirect
23087 SPIP spip_acces_doc.php3 file Parameter SQL Injection
23086 SPIP spip_rss.php type_urls Parameter Traversal Local File Inclusion
22849 SPIP index.php3 lang Parameter XSS
22848 SPIP Session Handling Petition Posting Multiple Unspecified SQL Injection
22846 SPIP inc-messforum.php3 Direct Access Path Disclosure
22845 SPIP forum.php3 Multiple Parameter SQL Injection
21865 SPIP spip_pass.php3 XSS
21864 SPIP spip_login.php3 XSS

ExploitDB Exploits

id Description
33425 SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation

OpenVAS Exploits

id Description
2012-04-30 Name : Debian Security Advisory DSA 2461-1 (spip)
File : nvt/deb_2461_1.nasl
2006-03-26 Name : SPIP < 1.8.2-g SQL Injection and XSS Flaws
File : nvt/spip_sql_injection.nasl

Nessus® Vulnerability Scanner

id Description
2018-06-15 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4228.nasl - Type: ACT_GATHER_INFO
2017-06-22 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3890.nasl - Type: ACT_GATHER_INFO
2016-12-27 Name: The remote Debian host is missing a security update.
File: debian_DLA-760.nasl - Type: ACT_GATHER_INFO
2016-12-09 Name: The remote Debian host is missing a security update.
File: debian_DLA-738.nasl - Type: ACT_GATHER_INFO
2016-11-03 Name: The remote Debian host is missing a security update.
File: debian_DLA-695.nasl - Type: ACT_GATHER_INFO
2016-03-17 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3518.nasl - Type: ACT_GATHER_INFO
2013-11-21 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2794.nasl - Type: ACT_GATHER_INFO
2013-05-28 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2694.nasl - Type: ACT_GATHER_INFO
2012-04-27 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2461.nasl - Type: ACT_GATHER_INFO
2006-02-25 Name: The remote web server has a PHP application that is affected by multiple flaws.
File: spip_sql_injection.nasl - Type: ACT_GATHER_INFO