CVE-2021-44122

Name of the Vulnerable Software and Affected Versions SPIP version 4.0.0

Description The issue is related to a Cross Site Request Forgery (CSRF) vulnerability in files such as ecrire/public/aiguiller.php, ecrire/public/balises.php, and ecrire/balise/formulaire .php. To exploit this, a visitor must first visit a malicious website that redirects to the SPIP website. Additionally, it is possible to combine this with XSS vulnerabilities in SPIP 4.0.0 to achieve exploitation. This allows an authenticated attacker to execute malicious code on the website without the user's knowledge.

Recommendations For SPIP version 4.0.0, consider disabling access to the vulnerable files ecrire/public/aiguiller.php, ecrire/public/balises.php, and ecrire/balise/formulaire .php until a patch is available. Restricting the use of these files can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.