CVE-2021-44120

Name of the Vulnerable Software and Affected Versions SPIP version 4.0.0

Description The issue concerns a Cross Site Scripting (XSS) vulnerability in the ecrire/public/interfaces.php file, specifically affecting the "Who are you" and "Website Name" fields. An editor can modify their personal information, and if they have a written and available article, the malicious code will be executed when a user attempts to read the author's information on the public site.

Recommendations For SPIP version 4.0.0, consider disabling the modification of the "Who are you" and "Website Name" fields until a patch is available. Additionally, restrict access to the ecrire/public/interfaces.php file to minimize the risk of exploitation. Avoid using the safehtml function in vulnerable fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.