CVE-2017-15736

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 3.1.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted string. This is demonstrated by a PGP field and is related to prive/objets/contenu/auteur.html and ecrire/inc/texte mini.php.

Recommendations For versions prior to 3.1.7, update to version 3.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the prive/objets/contenu/auteur.html and ecrire/inc/texte mini.php files until a patch is available. Avoid using crafted strings in the PGP field until the issue is resolved.