Описание
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 4.4.9+dfsg-1 |
| esm-apps-legacy/xenial | needs-triage | |
| esm-apps/bionic | needs-triage | |
| esm-apps/focal | needs-triage | |
| esm-apps/jammy | needs-triage | |
| esm-apps/noble | needs-triage | |
| esm-apps/resolute | needs-triage | |
| esm-apps/xenial | ignored | end of ESM support, was needs-triage |
| jammy | needs-triage | |
| noble | needs-triage |
Показывать по
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private are ...
SPIP before 4.4.8 allows Cross-Site Scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in the private area. This vulnerability is not mitigated by the SPIP security screen.
EPSS
6.1 Medium
CVSS3