VulnerableCode Package Details - pkg:composer/spip/spip@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-5sev-1tgk-vbfn Aliases: CVE-2021-44123	Unrestricted Upload of File with Dangerous Type SPIP is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.	4.0.1 Affected by 0 other vulnerabilities.
VCID-j37t-tg2b-93ey Aliases: CVE-2021-44122	Cross-Site Request Forgery (CSRF) SPIP is affected by a Cross Site Request Forgery (CSRF) vulnerability in `ecrire/public/aiguiller.php`, `ecrire/public/balises.php`, `ecrire/balise/formulaire_.php`. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).	4.0.1 Affected by 0 other vulnerabilities.
VCID-w6e5-sagr-g7ek Aliases: CVE-2023-27372	Code Injection SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.	There are no reported fixed by versions.
VCID-y4fe-ve98-pkgw Aliases: CVE-2021-44118	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SPIP is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users (stored XSS).	4.0.1 Affected by 0 other vulnerabilities.
VCID-yctu-6dy3-e7fx Aliases: CVE-2021-44120	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SPIP is affected by a Cross Site Scripting (XSS) vulnerability in `ecrire/public/interfaces.php`, adding the function `safehtml` to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The `Who are you` and `Website Name` fields are vulnerable.	4.0.1 Affected by 0 other vulnerabilities.
VCID-z9p6-8xa9-dfgv Aliases: CVE-2022-26847	Exposure of Sensitive Information to an Unauthorized Actor SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.	There are no reported fixed by versions.
VCID-zsf8-t31k-27e9 Aliases: CVE-2022-26846	Code Injection SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-5sev-1tgk-vbfn
Aliases:
CVE-2021-44123

Unrestricted Upload of File with Dangerous Type SPIP is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.

4.0.1
Affected by 0 other vulnerabilities.

VCID-j37t-tg2b-93ey
Aliases:
CVE-2021-44122

Cross-Site Request Forgery (CSRF) SPIP is affected by a Cross Site Request Forgery (CSRF) vulnerability in `ecrire/public/aiguiller.php`, `ecrire/public/balises.php`, `ecrire/balise/formulaire_.php`. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).

4.0.1
Affected by 0 other vulnerabilities.

VCID-w6e5-sagr-g7ek
Aliases:
CVE-2023-27372

Code Injection SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

There are no reported fixed by versions.

VCID-y4fe-ve98-pkgw
Aliases:
CVE-2021-44118

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SPIP is affected by a Cross Site Scripting (XSS) vulnerability. To exploit the vulnerability, a visitor must browse to a malicious SVG file. The vulnerability allows an authenticated attacker to inject malicious code running on the client side into web pages visited by other users (stored XSS).

4.0.1
Affected by 0 other vulnerabilities.

VCID-yctu-6dy3-e7fx
Aliases:
CVE-2021-44120

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') SPIP is affected by a Cross Site Scripting (XSS) vulnerability in `ecrire/public/interfaces.php`, adding the function `safehtml` to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author's information, the malicious code will be executed. The `Who are you` and `Website Name` fields are vulnerable.

4.0.1
Affected by 0 other vulnerabilities.

VCID-z9p6-8xa9-dfgv
Aliases:
CVE-2022-26847

Exposure of Sensitive Information to an Unauthorized Actor SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access to information about editorial objects.

There are no reported fixed by versions.

VCID-zsf8-t31k-27e9
Aliases:
CVE-2022-26846

Code Injection SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:59:52.054383+00:00	GitLab Importer	Affected by	VCID-w6e5-sagr-g7ek	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2023-27372.yml	38.6.0
2026-05-30T20:57:20.878518+00:00	GitLab Importer	Affected by	VCID-z9p6-8xa9-dfgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2022-26847.yml	38.6.0
2026-05-30T20:57:20.681747+00:00	GitLab Importer	Affected by	VCID-zsf8-t31k-27e9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2022-26846.yml	38.6.0
2026-05-30T20:56:45.474282+00:00	GitLab Importer	Affected by	VCID-y4fe-ve98-pkgw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2021-44118.yml	38.6.0
2026-05-30T20:56:45.438218+00:00	GitLab Importer	Affected by	VCID-5sev-1tgk-vbfn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2021-44123.yml	38.6.0
2026-05-30T20:56:45.353276+00:00	GitLab Importer	Affected by	VCID-j37t-tg2b-93ey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2021-44122.yml	38.6.0
2026-05-30T20:56:45.040840+00:00	GitLab Importer	Affected by	VCID-yctu-6dy3-e7fx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2021-44120.yml	38.6.0