CVE-2020-28984

Name of the Vulnerable Software and Affected Versions: SPIP versions prior to 3.2.8

Description: The issue is related to the insufficient validation of parameters in the prive/formulaires/configurer preferences.php component of the SPIP content management system. Specifically, the couleur, display, display navigation, display outils, imessage, and spip ecran parameters are not properly validated. This can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations: For SPIP versions prior to 3.2.8, update to version 3.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable prive/formulaires/configurer preferences.php component until a patch is applied. Avoid using the vulnerable parameters couleur, display, display navigation, display outils, imessage, and spip ecran in the affected component until the issue is resolved.