Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 634
Alerts This Week
Warning Icon 1 634

Ubuntu 21.10 USN-5482-1 Critical: SPIP Code Execution Threats

ubuntu
Calendar Grey June 16, 2022
Dist Ubuntu Esm H88
Security flaws in SPIP addressed in Ubuntu 21.10 and 18.04 LTS, improving overall system safety.
Several security issues were fixed in SPIP.

Summary

Several security issues were fixed in SPIP.

Software Description:

- spip: website engine for publishing

Details:

It was discovered that SPIP incorrectly validated inputs. An authenticated

attacker could possibly use this issue to execute arbitrary code.

(CVE-2020-28984)

Charles Fol and Théo Gordyjan discovered that SPIP is vulnerable to Cross

Site Scripting (XSS). If a user were tricked into browsing a malicious SVG

file, an attacker could possibly exploit this issue to execute arbitrary

code. This issue was only fixed in Ubuntu 21.10. (CVE-2021-44118,

CVE-2021-44120, CVE-2021-44122, CVE-2021-44123)

It was discovered that SPIP incorrectly handled certain forms. A remote

authenticated editor could possibly use this issue to execute arbitrary code,

and a remote unauthenticated attacker could possibly use this issue to obtain

sensitive information. (CVE-2022-26846, CVE-2022-26847)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
  spip                            3.2.11-3+deb11u3build0.21.10.1

Ubuntu 18.04 LTS:
  spip                            3.1.4-4~deb9u5build0.18.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5482-1

CVE-2020-28984, CVE-2021-44118, CVE-2021-44120, CVE-2021-44122,

CVE-2021-44123, CVE-2022-26846, CVE-2022-26847

Severity
critical
Lowest
Low
Medium
High
Critical

June 16, 2022

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.