CVE-2025-71244
5.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
SPIP before 4.4.5 and 4.3.9 allows an Open Redirect via the login form when used in AJAX mode. An attacker can craft a malicious URL that, when visited by a victim, redirects them to an arbitrary external site after login. This vulnerability only affects sites where the login page has been overridden to function in AJAX mode. It is not mitigated by the SPIP security screen.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SPIP | SPIP | 4.3.0 < 4.3.9 | affected |
| SPIP | SPIP | 4.4.0 < 4.4.5 | affected |
Weaknesses
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-5.html
- https://git.spip.net/spip/spip
- https://www.vulncheck.com/advisories/spip-open-redirect-via-login-form
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.