Dorian Piette

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP before version 4.4.9 contains a Blind Server-Side Request Forgery (SSRF) issue related to syndicated sites within the private area. The application does not validate the syndication URL when editing a syndicated site, potentially allowing an authenticated attacker to force the server to make requests to arbitrary internal or external destinations. The SPIP security screen does not mitigate this issue. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions before 4.4.9 contain a Stored Cross-Site Scripting (XSS) issue related to syndicated sites within the private area. The #URL SYNDIC output is not sufficiently sanitized when displaying details of syndicated sites in the private area. This allows an attacker who can control a syndication URL to inject malicious scripts that will execute when other administrators view the details of the syndicated site. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions before 4.4.9 contain a Cross-Site Scripting (XSS) issue in the private area. The `echappe anti xss()` function was not consistently applied to input, form, button, and anchor (<a>) HTML tags, enabling an attacker to inject malicious scripts through these elements. The SPIP security screen does not address this issue. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions prior to 4.4.9 contain an insecure deserialization flaw. This issue affects the public area through the `table valeur` filter and the `DATA` iterator, which accept serialized data. An attacker who can place malicious serialized content can trigger arbitrary object instantiation and potentially achieve remote code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions before 4.4.9 contain a Blind Server-Side Request Forgery (SSRF) issue related to syndicated sites within the private area. The application does not validate the syndication URL when editing a syndicated site, potentially allowing an authenticated attacker to force the server to make requests to arbitrary internal or external locations. The SPIP security screen does not address this issue. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions prior to 4.4.9 contain a Stored Cross-Site Scripting (XSS) issue related to syndicated sites within the private area. The output from `#URL SYNDIC` is not adequately sanitized when displaying details of syndicated sites in the private section. This allows an attacker who can control a malicious syndication URL to inject persistent scripts that will execute when other administrators view the syndicated site details. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions before 4.4.9 contain a Cross-Site Scripting (XSS) issue in the private area. A previous fix in SPIP 4.4.8 was incomplete, and the `echappe anti xss()` function was not consistently applied to input, form, button, and anchor (<a>) HTML tags. This allows an attacker to inject malicious scripts through these elements. The SPIP security screen does not mitigate this issue. **Recommendations** Update to SPIP version 4.4.9 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.4.9 **Description** SPIP versions prior to 4.4.9 contain an Insecure Deserialization flaw. The issue is present in the handling of serialized data within the `table valeur` filter and the `DATA` iterator. An attacker who can place malicious serialized content may be able to trigger arbitrary object instantiation and potentially achieve code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. The SPIP security screen does not mitigate this issue. **Recommendations** Update to SPIP version 4.4.9 or later.