Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - SPIP: six vulnerabilities

May 2012 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can use six vulnerabilities of SPIP, in order to
elevate his privileges, to obtain information, or to create a
Cross Site Scripting.

Severity: 2/4

Creation date: 23/04/2012

IMPACTED PRODUCTS

 Debian Linux
 SPIP

DESCRIPTION OF THE VULNERABILITY

Three vulnerabilities were announced in SPIP.

If an attacker can change the title of an help page, he can inject
HTML code via ecrire/exec/aide_index.php. [severity:1/4]

An administrator, who is not webmaster, is allowed to alter a
webmaster via ecrire/inc/autoriser.php. [severity:1/4]

The filtre_text_dist() function of the ecrire/inc/filtres_mime.php
file does not correctly filter special characters. [severity:2/4]

An attacker can generate a Cross Site Scripting via the search
feature of the exec_auteurs_args() function in file
ecrire/exec/auteurs.php. [severity:2/4]

An attacker can use a redirection to create a Cross Site Scripting
in ecrire/action/logout.php. [severity:2/4]

One or several other vulnerabilities were announced. Technical
details are unknown. [severity:2/4]

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/SPIP-six-vulnerabilities-11563


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts