vulnerability bulletin 9798

SPIP: Cross Site Scripting of informer_auteur

Synthesis of the vulnerability

An attacker can generate a Cross Site Scripting in the SPIP informer_auteur page, in order to execute JavaScript code in the context of the web browser of visitors.

Severity: 2/4. Creation date: 30/07/2010.

Description of the vulnerability

The SPIP "informer_auteur" page displays information on the author of a document. The prive/informer_auteur_fonctions.php file contains the function informer_auteur(). However, this function does not filter the "var_login" parameter. An attacker can therefore generate a Cross Site Scripting in the SPIP informer_auteur page, in order to execute JavaScript code in the context of the web browser of visitors.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: SPIP: Cross Site Scripting of informer_auteur. Keywords: Cross JavaScript SPIP Scripting Site informer_auteur informer_auteur_fonctions var_login. Identifiers: BID-42060, VIGILANCE-VUL-9798.

Information sources

Publications and announces Source example: SPIP 2.1 - XSS

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Security vulnerability alerts