Cross Site Request Forgery Vulnerability in SPIP by SPIP Team
CVE-2021-44122

8.8HIGH

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 26 January 2022

Summary

SPIP 4.0.0 is susceptible to a Cross Site Request Forgery (CSRF) vulnerability found in multiple files including ecrire/public/aiguiller.php and ecrire/public/balises.php. An attacker can exploit this vulnerability by tricking users into visiting a malicious website that redirects them to the SPIP site, enabling them to carry out actions on behalf of the unsuspecting user without their consent. Moreover, this vulnerability can potentially be combined with existing XSS vulnerabilities in the same version, heightening the risk of executing unauthorized commands. User awareness and the implementation of security updates are critical to mitigate such risks.

References

https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2022
Vulnerability Reserved
Nov 22, 2021