CVE-2013-7303

Published: 30 January 2014

Multiple cross-site scripting (XSS) vulnerabilities in (1) squelettes-dist/formulaires/inscription.php and (2) prive/forms/editer_auteur.php in SPIP before 2.1.25 and 3.0.x before 3.0.13 allow remote attackers to inject arbitrary web script or HTML via the author name field.

Priority

Medium

Status

Package Release Status
spip
Launchpad, Ubuntu, Debian
Upstream
Released (3.0.13-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(3.0.13-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [3.0.13-1])

Notes

AuthorNote
seth-arnold
Might be 'low' or 'negligible' if the author is the one to inject
the XSS and if the author is generally allowed arbitrary HTML input
somewhere else.

References

Bugs