Glop

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.3.6 SPIP versions prior to 4.2.17 SPIP versions prior to 4.1.20 **Description** SPIP versions prior to 4.3.6, 4.2.17, and 4.1.20 contain a Cross-Site Scripting (XSS) issue within the private area. The error message displayed by the `transmettre` API endpoint does not properly sanitize its content, which allows an attacker to inject malicious scripts. SPIP’s security screen offers some mitigation. **Recommendations** Update to SPIP version 4.3.6 or later. Update to SPIP version 4.2.17 or later. Update to SPIP version 4.1.20 or later.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.2.1 SPIP versions 3.2.18 through 4.0.10 SPIP versions 4.1.8 through 4.2.1 SPIP version 3.2.11-3+deb11u7 **Description** SPIP is susceptible to a flaw related to the improper handling of untrusted data during memory restoration. Successful exploitation of this issue could allow a remote attacker to execute arbitrary code by submitting specially crafted data to the application. The issue stems from mishandling of serialization. Multiple reports indicate the existence of a Remote Code Execution (RCE) exploit, potentially leveraging the `multi/http/spip bigup` module. **Recommendations** SPIP versions prior to 3.2.18: Upgrade to version 3.2.18 or later. SPIP versions 3.2.18 through 4.0.10: Upgrade to version 4.0.10 or later. SPIP versions 4.0.10 through 4.1.8: Upgrade to version 4.1.8 or later. SPIP versions 4.1.8 through 4.2.1: Upgrade to version 4.2.1 or later. SPIP version 3.2.11-3+deb11u7: No action is required.