Cross-Site Scripting Vulnerability in SPIP Versions Prior to 4.1.13 and 4.2.7
CVE-2023-52322

6.1MEDIUM

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 4 January 2024

What is CVE-2023-52322?

The vulnerability in SPIP occurs in the ecrire/public/assembler.php script, allowing Cross-Site Scripting (XSS) due to inadequate input filtering. Specifically, the function _request() does not restrict input to safe characters, such as alphanumerics. This permits potential attackers to inject malvolent scripts, posing significant security risks. Users are urged to upgrade to SPIP version 4.1.13 or 4.2.7 to mitigate these vulnerabilities.

References

https://git.spip.net/spip/spip/commit/e90f5344b8c82711053...

https://blog.spip.net/Mise-a-jour-de-maintenance-et-secur...

https://lists.debian.org/debian-lts-announce/2024/03/msg0...

mailing-list

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 4, 2024
Vulnerability Reserved
Jan 4, 2024

Spip

What is CVE-2023-52322?

References

CVSS V3.1

Timeline