PT-2022-19327 · Spip+2 · Spip+2
Laluka
+1
·
Published
2020-11-25
·
Updated
2026-04-06
·
CVE-2022-28960
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Spip versions prior to 3.2.8
Description
A PHP injection issue allows attackers to execute arbitrary PHP code via the
oups parameter at the "/ecrire" API endpoint.Recommendations
For versions prior to 3.2.8, update to version 3.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ecrire" API endpoint to minimize the risk of exploitation. Avoid using the
oups parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Spip
Ubuntu