Vigil@nce - SPIP: three vulnerabilities
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of SPIP.
– Impacted products: Debian, SPIP
– Severity: 2/4
– Creation date: 12/11/2013
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in SPIP.
An attacker can trigger a Cross Site Request Forgery during the
Logout, in order to force the victim to perform operations.
[severity:2/4; BID-63638, CVE-2013-4555]
An attacker can trigger a Cross Site Scripting in the Author Page,
in order to execute JavaScript code in the context of the web
site. [severity:2/4; BID-63636, CVE-2013-4556]
An attacker can inject PHP code, in order to execute code.
[severity:2/4; BID-63637, CVE-2013-4557]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SPIP-three-vulnerabilities-13732