OpenCVE

SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Spip	Spip

Configuration 1 [-]

OR	cpe:2.3:a:spip:spip::::::::
	cpe:2.3:a:spip:spip::::::::

No data.

References

Link	Providers
https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr
https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2
https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-01-19T00:00:00

Updated: 2024-08-01T23:06:25.355Z

Reserved: 2024-01-19T00:00:00

Link: CVE-2024-23659

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-19T05:15:09.233

Modified: 2024-11-21T08:58:06.740

Link: CVE-2024-23659

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F53AAF3-4FED-4D8C-8E10-4EED126086FE", "versionEndExcluding": "4.1.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "matchCriteriaId": "000974CE-80E7-4809-9EC8-85AEB42EE303", "versionEndExcluding": "4.2.8", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js."}, {"lang": "es", "value": "SPIP anterior a 4.1.14 y 4.2.x anterior a 4.2.8 permite XSS mediante el nombre de un archivo cargado. Esto est\u00e1 relacionado con javascript/bigup.js y javascript/bigup.utils.js."}], "id": "CVE-2024-23659", "lastModified": "2024-11-21T08:58:06.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T05:15:09.233", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.spip.net/spip/bigup/commit/ada821c076d67d1147a195178223d0b4a6d8cecc"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}