[SECURITY] [DLA 760-1] spip security update

2016-12-24T23:10:57
ID DEBIAN:DLA-760-1:74B1A
Type debian
Reporter Debian
Modified 2016-12-24T23:10:57

Description

Package : spip Version : 2.1.17-1+deb7u8 CVE ID : CVE-2016-9997 CVE-2016-9998 Debian Bug : 848641

Multiple reflected cross-site scripting (XSS) vulnerabilities have been discovered in SPIP, a website publishing engine written in PHP.

CVE-2016-9997

It was discovered that the 'id' parameter to the puce_statut action
isn't sanitized properly. An attacker could inject arbitrary HTML
code by tricking an authenticated SPIP user to open a specially
crafted URL.

CVE-2016-9998

It was discovered that the 'plugin' parameter to the info_plugin
action isn't sanitized properly. An attacker could inject arbitrary
HTML code by tricking an authenticated SPIP user to open a specially
crafted URL.

For Debian 7 "Wheezy", these problems have been fixed in version 2.1.17-1+deb7u8.

We recommend that you upgrade your spip packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS


Jonas Meurer