Download
| Alert*
oval:org.secpod.oval:def:54503
It was discovered that SPIP, a website engine for publishing, did not properly sanitize its user input. This would allow an authenticated user to perform arbitrary command execution. oval:org.secpod.oval:def:69871 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks, access sensitive information, or execute arbitrary code. oval:org.secpod.oval:def:79850 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code. For the oldstable distribution , this problem has been fixed in version 3.2.4-1+deb10u7. oval:org.secpod.oval:def:600790 Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site scripting, script code injection and bypass of restrictions. oval:org.secpod.oval:def:601144 Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site request forgery on logout, cross-site scripting on author page, and PHP injection. oval:org.secpod.oval:def:601041 A privilege escalation vulnerability has been found in SPIP, a website engine for publishing, which allows anyone to take control of the website. oval:org.secpod.oval:def:600643 Two vulnerabilities have been found in SPIP, a website engine for publishing, which allow privilege escalation to site administrator privileges and cross-site scripting. The oldstable distribution doesn"t include spip. oval:org.secpod.oval:def:601316 spip is installed oval:org.secpod.oval:def:600243 A vulnerability has been found in SPIP, a website engine for publishing, which allows a malicious registered author to disconnect the website from its database, resulting in denial of service. The oldstable distribution doesn"t include spip. oval:org.secpod.oval:def:607814 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks. For the oldstable distribution , this problem has been fixed in version 3.2.4-1+deb10u8. oval:org.secpod.oval:def:606123 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code. For the oldstable distribution , this problem has been fixed in version 3.2.4-1+deb10u7. oval:org.secpod.oval:def:610357 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access. oval:org.secpod.oval:def:603847 It was discovered that SPIP, a website engine for publishing, did not properly sanitize its user input. This would allow an authenticated user to perform arbitrary command execution. oval:org.secpod.oval:def:58852 It was discovered that SPIP, a website engine for publishing, would allow unauthenticated users to modify published content and write to the database, perform cross-site request forgeries, and enumerate registered users. oval:org.secpod.oval:def:1900848 Cross-site scripting vulnerability in SPIP before 3.1.7 allows remote attackers to inject arbitrary web script or HTML via a crafted string, as demonstrated by a PGP field, related to prive/objets/contenu/auteur.html and ecrire/inc/texte_mini.php. oval:org.secpod.oval:def:1901856 SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled. oval:org.secpod.oval:def:69795 A vulnerability was discovered in the SPIP publishing system, which could result in unauthorised writes to the database by authors. The oldstable distribution is not affected. oval:org.secpod.oval:def:69910 It was discovered that SPIP, a website engine for publishing, would allow unauthenticated users to modify published content and write to the database, perform cross-site request forgeries, and enumerate registered users. oval:org.secpod.oval:def:53352 Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection. oval:org.secpod.oval:def:603431 Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in cross-site scripting and PHP injection. oval:org.secpod.oval:def:604543 It was discovered that SPIP, a website engine for publishing, would allow unauthenticated users to modify published content and write to the database, perform cross-site request forgeries, and enumerate registered users. oval:org.secpod.oval:def:89412 spip: website engine for publishing Details: USN-5482-1 fixed several vulnerabilities in SPIP. This update provides the corresponding updates for Linux Mint 20.x LTS for CVE-2021-44118, CVE-2021-44120, CVE-2021-44122 and CVE-2021-44123. Original advisory Several security issues were fixed in SPIP. oval:org.secpod.oval:def:88360 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks. For the oldstable distribution , this problem has been fixed in version 3.2.4-1+deb10u8. oval:org.secpod.oval:def:88381 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code or escalate privileges. oval:org.secpod.oval:def:88484 spip: website engine for publishing Several security issues were fixed in SPIP. oval:org.secpod.oval:def:89326 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access. oval:org.secpod.oval:def:89369 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code. oval:org.secpod.oval:def:1900465 SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in/ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL. oval:org.secpod.oval:def:53084 Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution. oval:org.secpod.oval:def:602957 Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution. oval:org.secpod.oval:def:1900499 SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in/ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL. oval:org.secpod.oval:def:1900435 SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. oval:org.secpod.oval:def:1900713 The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted INCLUDE or INCLURE tag and then accessing it with a valider_xml action. oval:org.secpod.oval:def:1900948 Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action. oval:org.secpod.oval:def:1901156 Cross-site request forgery vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined wi ... oval:org.secpod.oval:def:1901216 ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery attacks via a URL in the var_url parameter in a valider_xml action. oval:org.secpod.oval:def:1901108 The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. oval:org.secpod.oval:def:602432 Several vulnerabilities were found in SPIP, a website engine for publishing, resulting in code injection. CVE-2016-3153 g0uZ et sambecks, from team root-me, discovered that arbitrary PHP code could be injected when adding content. CVE-2016-3154 Gilles Vincent discovered that deserializing untrusted ... oval:org.secpod.oval:def:1901451 SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function. oval:org.secpod.oval:def:1901560 Cross-site scripting vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action. |