CVE-2025-71242

Summary

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

Affected Software

VendorProductVersion RangeStatus
SPIPSPIP4.1.0 < 4.1.20affected
SPIPSPIP4.2.0 < 4.2.17affected
SPIPSPIP4.3.0 < 4.3.6affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References