spip - security update

2016-12-2400:00:00

Google

osv.dev

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

46.4%

JSON

Multiple reflected cross-site scripting (XSS) vulnerabilities have been
discovered in SPIP, a website publishing engine written in PHP.

CVE-2016-9997
It was discovered that the id parameter to the puce_statut action
isn’t sanitized properly. An attacker could inject arbitrary HTML
code by tricking an authenticated SPIP user to open a specially
crafted URL.
CVE-2016-9998
It was discovered that the plugin parameter to the info_plugin
action isn’t sanitized properly. An attacker could inject arbitrary
HTML code by tricking an authenticated SPIP user to open a specially
crafted URL.

For Debian 7 Wheezy, these problems have been fixed in version
2.1.17-1+deb7u8.

We recommend that you upgrade your spip packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: <https://wiki.debian.org/LTS>

CPENameOperatorVersion
spipeq2.1.17-1
spipeq2.1.17-1+deb7u1
spipeq2.1.17-1+deb7u2
spipeq2.1.17-1+deb7u3
spipeq2.1.17-1+deb7u4
spipeq2.1.17-1+deb7u5
spipeq2.1.17-1+deb7u6
spipeq2.1.17-1+deb7u7

Name	Operator	Version
spip	eq	2.1.17-1
spip	eq	2.1.17-1+deb7u1
spip	eq	2.1.17-1+deb7u2
spip	eq	2.1.17-1+deb7u3
spip	eq	2.1.17-1+deb7u4
spip	eq	2.1.17-1+deb7u5
spip	eq	2.1.17-1+deb7u6
spip	eq	2.1.17-1+deb7u7