CVE-2025-71241

Summary

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.

Affected Software

VendorProductVersion RangeStatus
SPIPSPIP4.1.0 < 4.1.20affected
SPIPSPIP4.2.0 < 4.2.17affected
SPIPSPIP4.3.0 < 4.3.6affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References