Fluid Attacks Database

Description

Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	spip/spip	>=0 <=3.1.13	3.2.4
debian 11	spip	>=0 <3.2.8-1	3.2.8-1
debian 13	spip	>=0 <3.2.8-1	3.2.8-1
debian 14	spip	>=0 <3.2.8-1	3.2.8-1

Aliases

1. CVE-2022-289592. NVD-2022-289593. OSV-2022-289594. OSV-DEBIAN-2022-289595. GCVE-2022-289596. SECURITY-TRACKER-CVE-2022-28959

References

1. https://thinkloveshare.com/en/hacking/rce_on_spip_and_root_me/2. https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-SPIP-3-2-8-et-SPIP-3-1-13.html3. https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf4. https://www.root-me.org/fr/Informations/Faiblesses-decouvertes/5. https://github.com/spip/SPIP/commit/0394b44774555ae8331b6e65e35065dfa0bb41e4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.