CVE-2025-71241
4.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SPIP | SPIP | 4.1.0 < 4.1.20 | affected |
| SPIP | SPIP | 4.2.0 < 4.2.17 | affected |
| SPIP | SPIP | 4.3.0 < 4.3.6 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.html
- https://git.spip.net/spip/spip
- https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-area
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.