Fluid Attacks Database

Description

SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spip	=3.2.11-3 \|\| >=0 <3.2.11-3+deb11u1	3.2.11-3+deb11u1
debian 13	spip	>=0 <3.2.12-1	3.2.12-1
packagist	spip/spip	=4.0.0	4.0.1
debian 14	spip	>=0 <3.2.12-1	3.2.12-1

Aliases

1. CVE-2021-441222. NVD-2021-441223. OSV-DEBIAN-2021-441224. OSV-2021-441225. GCVE-2021-441226. SECURITY-TRACKER-CVE-2021-44122

References

1. https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.