SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability in
ecrire/public/interfaces.php, adding the function safehtml to the
vulnerable fields. An editor is able to modify his personal information. If
the editor has an article written and available, when a user goes to the
public site and wants to read the author’s information, the malicious code
will be executed. The “Who are you” and “Website Name” fields are
vulnerable.
git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81
launchpad.net/bugs/cve/CVE-2021-44120
nvd.nist.gov/vuln/detail/CVE-2021-44120
security-tracker.debian.org/tracker/CVE-2021-44120
ubuntu.com/security/notices/USN-5482-1
ubuntu.com/security/notices/USN-5482-2
www.cve.org/CVERecord?id=CVE-2021-44120