Multiple cross-site scripting (XSS) vulnerabilities in (1)
squelettes-dist/formulaires/inscription.php and (2)
prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13
allow remote attackers to inject arbitrary web script or HTML via the
author name field.
Author | Note |
---|---|
seth-arnold | Might be βlowβ or βnegligibleβ if the author is the one to inject the XSS and if the author is generally allowed arbitrary HTML input somewhere else. |