Fluid Attacks Database

Description

ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spip	=3.2.11-3 \|\| =3.2.11-3+deb11u1 \|\| =3.2.11-3+deb11u2 \|\| =3.2.11-3+deb11u3 \|\| =3.2.11-3+deb11u4 \|\| =3.2.11-3+deb11u5 \|\| =3.2.11-3+deb11u6 \|\| =3.2.11-3+deb11u7 \|\| =3.2.11-3+deb11u8 \|\| =3.2.11-3+deb11u9 \|\| >=0 <3.2.11-3+deb11u10	3.2.11-3+deb11u10
debian 13	spip	>=0 <4.1.13+dfsg-1	4.1.13+dfsg-1
debian 14	spip	>=0 <4.1.13+dfsg-1	4.1.13+dfsg-1

Aliases

1. CVE-2023-523222. NVD-2023-523223. OSV-DEBIAN-2023-523224. OSV-2023-523225. SECURITY-TRACKER-CVE-2023-52322