← volver
CVE-2025-71241

SPIP < 4.3.6 Cross-Site Scripting in Private Area

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Productos afectados
SPIP · SPIP

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.htmlhttps://git.spip.net/spip/spiphttps://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area