Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Spip Subscribe
Filtered by product Spip
Total 50 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-7980 1 Spip 1 Spip 2017-05-23 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.
CVE-2016-7981 1 Spip 1 Spip 2017-01-23 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
CVE-2013-4555 1 Spip 1 Spip 2016-12-07 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.
CVE-2013-4556 1 Spip 1 Spip 2016-12-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.
CVE-2013-4557 1 Spip 1 Spip 2016-12-07 7.5 HIGH N/A
The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.
CVE-2016-3153 2 Debian, Spip 2 Debian Linux, Spip 2016-04-14 7.5 HIGH 9.8 CRITICAL
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
CVE-2016-3154 1 Spip 1 Spip 2016-04-14 7.5 HIGH 9.8 CRITICAL
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
CVE-2013-2118 1 Spip 1 Spip 2013-10-11 7.5 HIGH N/A
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.
CVE-2012-4331 1 Spip 1 Spip 2012-08-15 10.0 HIGH N/A
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
CVE-2005-4494 1 Spip 1 Spip 2011-03-07 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in SPIP 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) spip_login.php3 and (2) spip_pass.php3.