Hi, Le Sun, Dec 01, 2024 at 05:31:07PM +0100, Moritz Mühlenhoff a écrit : […] > The following vulnerability was published for spip. > > CVE-2024-53620[0]: > | A cross-site scripting (XSS) vulnerability in the Article module of > | SPIP v4.3.3 allows authenticated attackers to execute arbitrary web > | scripts or HTML via injecting a crafted payload into the Title > | parameter. > > It's unclear whether this has been reported/fixed upstream, the > only refefence is: > https://grimthereaperteam.medium.com/ec1e8714c02e
Upstream considers this issue invalid because the code is not executed inside the back-office, but only on the public part, so only after being accepted by an admin. The script is displayed in its raw form inside the back office, so an admin can see it and decide to publish it or not. Regards, taffit
signature.asc
Description: PGP signature
