CVE-2021-44120 Information

Description

SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available when a user goes to the public site and wants to read the author’s information the malicious code will be executed. The \Who are you\ and \Website Name\ fields are vulnerable.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4