Spip

spip

Vendor: Spip • 69 CVEs

CVEs (69)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-7999 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 7.4 HIGH· v3 4.3 MEDIUM· v2 ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
CVE-2016-7998 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it...Show more The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.Show less
CVE-2016-7982 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.
CVE-2016-7981 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
CVE-2016-7980 1Spip 1Spip May 13, 2026 Jan 18, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator...Show more Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.Show less
CVE-2016-9998 1Spip 1Spip May 6, 2026 Dec 17, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.
CVE-2016-9997 1Spip 1Spip May 6, 2026 Dec 17, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.
CVE-2016-9152 1Spip 1Spip May 6, 2026 Dec 5, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the rac parameter.
CVE-2016-3154 1Spip 1Spip May 6, 2026 Apr 8, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PH...Show more The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.Show less
CVE-2016-3153 2Debian Spip 2Debian Linux Spip May 6, 2026 Apr 8, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
CVE-2013-7303 1Spip 1Spip Apr 29, 2026 Jan 30, 2014 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject...Show more Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.Show less
CVE-2013-4557 1Spip 1Spip Apr 29, 2026 Nov 18, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.
CVE-2013-4556 1Spip 1Spip Apr 29, 2026 Nov 18, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_s...Show more Cross-site scripting (XSS) vulnerability in the author page (prive/formulaires/editer_auteur.php) in SPIP before 2.1.24 and 3.0.x before 3.0.12 allows remote attackers to inject arbitrary web script or HTML via the url_site parameter.Show less
CVE-2013-4555 1Spip 1Spip Apr 29, 2026 Nov 18, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified...Show more Cross-site request forgery (CSRF) vulnerability in ecrire/action/logout.php in SPIP before 2.1.24 allows remote attackers to hijack the authentication of arbitrary users for requests that logout the user via unspecified vectors.Show less
CVE-2013-2118 1Spip 1Spip Apr 29, 2026 Jul 9, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.
CVE-2012-4331 1Spip 1Spip Apr 29, 2026 Aug 14, 2012 N/A· v4 N/A· v3 10.0 HIGH· v2 Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabiliti...Show more Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.Show less
CVE-2012-2151 1Spip 1Spip Apr 29, 2026 Aug 14, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in SPIP 1.9.x before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2009-3041 1Spip 1Spip Apr 23, 2026 Sep 1, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to inst...Show more SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.Show less
CVE-2008-5813 1Spip 1Spip Apr 23, 2026 Jan 2, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these deta...Show more SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details are obtained from third party information.Show less
CVE-2008-5812 1Spip 1Spip Apr 23, 2026 Jan 2, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.

Previous 1 234 Next