Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Ubuntu 18.04 SPIP Vulnerabilities USN-4536-1: XSS and DoS Risks

ubuntu
Calendar Grey September 24, 2020
Dist Ubuntu Esm H88
A variety of vulnerabilities addressed in SPIP for Ubuntu 18.04, encompassing cross-site scripting (XSS) and threats of remote code execution.
Several security issues were fixed in SPIP.

Summary

Several security issues were fixed in SPIP.

Software Description:

- spip: website engine for publishing

Details:

Youssouf Boulouiz discovered that SPIP incorrectly handled login error

messages. A remote attacker could potentially exploit this to conduct

cross-site scripting (XSS) attacks. (CVE-2019-16392)

Gilles Vincent discovered that SPIP incorrectly handled password reset

requests. A remote attacker could possibly use this issue to cause SPIP to

enumerate registered users. (CVE-2019-16394)

Guillaume Fahrner discovered that SPIP did not properly sanitize input. A

remote authenticated attacker could possibly use this issue to execute

arbitrary code on the host server. (CVE-2019-11071)

Sylvain Lefevre discovered that SPIP incorrectly handled user

authorization. A remote attacker could possibly use this issue to modify

and publish content and modify the database. (CVE-2019-16391)

It was discovered that SPIP did not properly sanitize input. A remote

at...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  spip                            3.1.4-4~deb9u3build0.18.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4536-1

CVE-2017-15736, CVE-2019-11071, CVE-2019-16391, CVE-2019-16392,

CVE-2019-16393, CVE-2019-16394, CVE-2019-19830

Severity
critical
Lowest
Low
Medium
High
Critical

September 24, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here