SPIP Multiple Unspecified Cross Site Scripting Vulnerabilities

Bugtraq ID:	53216
Class:	Input Validation Error
CVE:	CVE-2012-2151
Remote:	Yes
Local:	No
Published:	Apr 24 2012 12:00AM
Updated:	Aug 16 2012 01:20PM
Credit:	William Farner, Arnault Pachot Silvere Cainaud, Maxime Pelletier, Anthony and Christopher Cervoise Imberti
Vulnerable:	SPIP SPIP 2.1.12 SPIP SPIP 2.1 SPIP SPIP 2.0.9 SPIP SPIP 2.0.7 SPIP SPIP 2.0.2 SPIP SPIP 1.9.2 k SPIP SPIP 1.9.2 j SPIP SPIP 1.9.2 SPIP SPIP 2.1.9 SPIP SPIP 2.1.8 SPIP SPIP 2.1.7 SPIP SPIP 2.1.10 SPIP SPIP 2.0.14 SPIP SPIP 2.0 RC1 SPIP SPIP 2.0 SPIP SPIP 1.9.2i SPIP SPIP 1.9.2h SPIP SPIP 1.9.2g SPIP SPIP 1.9.2d Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64
Not Vulnerable:	SPIP SPIP 2.1.13 SPIP SPIP 2.0.18 SPIP SPIP 1.9.2o

SPIP Multiple Unspecified Cross Site Scripting Vulnerabilities

SPIP is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to SPIP 1.9.2o, 2.0.18, and 2.1.13 are vulnerable.

SPIP Multiple Unspecified Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting victim to follow a malicious URI.

SPIP Multiple Unspecified Cross Site Scripting Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

SPIP Multiple Unspecified Cross Site Scripting Vulnerabilities

References:

• New stable releases SPIP 1.9.2o, 2.0.18 et 2.1.13 are availables (SPIP)
  
• SPIP Homepage (SPIP)