The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of SPIP

computer vulnerability alert 25596

SPIP: vulnerability via valider_xml

Synthesis of the vulnerability

A vulnerability via valider_xml() of SPIP was announced.
Impacted products: SPIP.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 19/03/2018.
Identifiers: VIGILANCE-VUL-25596.

Description of the vulnerability

A vulnerability via valider_xml() of SPIP was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-15736

SPIP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SPIP, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, SPIP.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/10/2017.
Identifiers: CVE-2017-15736, DSA-4228-1, VIGILANCE-VUL-24140.

Description of the vulnerability

The SPIP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SPIP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-9736

SPIP: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of SPIP, in order to run code.
Impacted products: Debian, SPIP.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 12/06/2017.
Identifiers: CVE-2017-9736, DSA-3890-1, VIGILANCE-VUL-22948.

Description of the vulnerability

An attacker can use a vulnerability of SPIP, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 22023

SPIP: code execution via balises.php

Synthesis of the vulnerability

An attacker can use pages using #HTTP_HEADER on SPIP, in order to run PHP code.
Impacted products: SPIP.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 06/03/2017.
Identifiers: CERTFR-2017-AVI-072, VIGILANCE-VUL-22023.

Description of the vulnerability

The balise_HTTP_HEADER_dist() function of the ecrire/public/balises.php file generates PHP code, calling the header() function to inject an HTTP header from the #HTTP_HEADER tag.

However, user's data are directly inserted in the PHP code.

An attacker can therefore use pages using #HTTP_HEADER on SPIP, in order to run PHP code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-9998

SPIP: Cross Site Scripting via info_plugin.php

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via info_plugin.php of SPIP, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, SPIP.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/12/2016.
Identifiers: CVE-2016-9998, DLA-760-1, VIGILANCE-VUL-21413.

Description of the vulnerability

The SPIP product offers a web service.

However, it does not filter received data via info_plugin.php before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via info_plugin.php of SPIP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-9997

SPIP: Cross Site Scripting via puce_statut.php

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via puce_statut.php of SPIP, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, SPIP.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/12/2016.
Identifiers: CVE-2016-9997, DLA-760-1, VIGILANCE-VUL-21412.

Description of the vulnerability

The SPIP product offers a web service.

However, it does not filter received data via puce_statut.php before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via puce_statut.php of SPIP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-9152

SPIP: Cross Site Scripting via plonger.php

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via plonger.php of SPIP, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, SPIP.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/12/2016.
Identifiers: CVE-2016-9152, DLA-738-1, VIGILANCE-VUL-21273.

Description of the vulnerability

The SPIP product offers a web service.

However, it does not filter received data via plonger.php before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via plonger.php of SPIP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-7980 CVE-2016-7981 CVE-2016-7982

SPIP: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SPIP.
Impacted products: Debian, SPIP.
Severity: 2/4.
Consequences: user access/rights, client access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 03/10/2016.
Revision date: 06/10/2016.
Identifiers: CVE-2016-7980, CVE-2016-7981, CVE-2016-7982, CVE-2016-7998, CVE-2016-7999, DLA-695-1, VIGILANCE-VUL-20749.

Description of the vulnerability

Several vulnerabilities were announced in SPIP.

An attacker can use a vulnerability via Template Compiler/Composer, in order to run code. [severity:2/4; CVE-2016-7998]

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4; CVE-2016-7980]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-7981]

An attacker can bypass security features via File Enumeration, in order to obtain sensitive information. [severity:2/4; CVE-2016-7982]

An attacker can bypass security features via a Server Side Request Forgery, in order to obtain sensitive information. [severity:2/4; CVE-2016-7999]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 20698

SPIP: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of SPIP, in order to run JavaScript code in the context of the web site.
Impacted products: SPIP.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/09/2016.
Identifiers: VIGILANCE-VUL-20698.

Description of the vulnerability

The SPIP product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of SPIP, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-3153 CVE-2016-3154

SPIP: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SPIP.
Impacted products: Debian, SPIP.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/03/2016.
Identifiers: CERTFR-2016-AVI-096, CVE-2016-3153, CVE-2016-3154, DSA-3518-1, VIGILANCE-VUL-19154.

Description of the vulnerability

Several vulnerabilities were announced in SPIP.

An attacker can inject PHP code, in order to run code. [severity:4/4; CVE-2016-3153]

An attacker can use unserialize(), in order to inject objects. [severity:3/4; CVE-2016-3154]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about SPIP: