1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1088801: spip: CVE-2024-53620

    From David =?iso-8859-1?Q?Pr=E9vot?=@21:1/5 to All on Thu Dec 26 18:00:01 2024
    Hi,

    Le Sun, Dec 01, 2024 at 05:31:07PM +0100, Moritz Mühlenhoff a écrit :
    […]
    The following vulnerability was published for spip.

    CVE-2024-53620[0]:
    | A cross-site scripting (XSS) vulnerability in the Article module of
    | SPIP v4.3.3 allows authenticated attackers to execute arbitrary web
    | scripts or HTML via injecting a crafted payload into the Title
    | parameter.

    It's unclear whether this has been reported/fixed upstream, the
    only refefence is:
    https://grimthereaperteam.medium.com/ec1e8714c02e

    Upstream considers this issue invalid because the code is not executed
    inside the back-office, but only on the public part, so only after being accepted by an admin. The script is displayed in its raw form inside the
    back office, so an admin can see it and decide to publish it or not.

    Regards,

    taffit

    -----BEGIN PGP SIGNATURE-----

    iQEzBAABCAAdFiEEeHVNB7wJXHRI941mBYwc+UT2vTwFAmdtiUUACgkQBYwc+UT2 vTxT4Af/QQJevk4dQivLoJHXdNy09XyWt6pwTNzsQVNKbvGWncZtFsidbDt5sxD6 mEQ9YiJ253TnUBRs2asQHDK/4vxvuDy/f0y8/xQXlx3MvNObAj6sgm8AvHqi19k4 hQdDwhNCsavS631IrqmidFfCX26IdmJker+aKOoTIgYszNjBpJKufKFTWJlgGz3K leP0Guku+njiyWPLCzcuU7VUFufEOxZ/BAiKc+Uc0d0mns5iKQ5CCzHPucJ8rbht IYHbrPbN0FWS7zAPg1Ad5O6xBKTgDCA4L2iCmqc+W6n4mgcH/Y0SgsAo3pJQODq+ sMd0fLvbw8hvdAkRt6KW85gseMMlfQ==
    =zJfD
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)