CVE-2021-44120

Published: Jan 26, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The "Who are you" and "Website Name" fields are vulnerable.

Affected (1)

Products: Spip: Spip

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Spip Spip	Version 4.0.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81

Source: cve@mitre.org

PatchVendor Advisory

https://git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.