CVE-2021-44118

Name of the Vulnerable Software and Affected Versions SPIP version 4.0.0

Description The issue allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users. This is achieved by exploiting a Cross Site Scripting (XSS) vulnerability, where a visitor must browse to a malicious SVG file to trigger the exploit.

Recommendations For SPIP version 4.0.0, consider disabling the ability to upload or browse to SVG files as a temporary workaround until a patch is available. Restrict access to areas of the application where user-inputted data is displayed to minimize the risk of exploitation.