SPIP 4.2.14 and Earlier: Malicious Scripts Can Run in Browsers

Summary

If you use SPIP version 4.2.14 or earlier, a hacker could inject malicious code into your website that runs in visitors' browsers, potentially stealing data or taking control of their sessions. To fix this, update to version 4.2.15 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
spip	spip	> 4.2.0 , <= 4.2.15	–

Original title

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject mali...

Original description

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser.

nvd CVSS3.1 5.4

nvd CVSS4.0 4.8

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-... Release Notes
https://git.spip.net/spip/spip Product
https://www.vulncheck.com/advisories/spip-cross-site-scripting-via-code-tags Third Party Advisory