USN-5482-1: SPIP vulnerabilities

Releases

• Ubuntu 21.10
• Ubuntu 18.04 ESM

Packages

• spip - website engine for publishing

Details

It was discovered that SPIP incorrectly validated inputs. An authenticated
attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-28984)

Charles Fol and Théo Gordyjan discovered that SPIP is vulnerable to Cross
Site Scripting (XSS). If a user were tricked into browsing a malicious SVG
file, an attacker could possibly exploit this issue to execute arbitrary
code. This issue was only fixed in Ubuntu 21.10. (CVE-2021-44118,
CVE-2021-44120, CVE-2021-44122, CVE-2021-44123)

It was discovered that SPIP incorrectly handled certain forms. A remote
authenticated editor could possibly use this issue to execute arbitrary code,
and a remote unauthenticated attacker could possibly use this issue to obtain
sensitive information. (CVE-2022-26846, CVE-2022-26847)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 21.10

• spip - 3.2.11-3+deb11u3build0.21.10.1

Ubuntu 18.04

• spip - 3.1.4-4~deb9u5build0.18.04.1

In general, a standard system update will make all the necessary changes.

References

• CVE-2021-44123
• CVE-2022-26846
• CVE-2021-44118
• CVE-2022-26847
• CVE-2021-44120
• CVE-2020-28984
• CVE-2021-44122

Related notices

• USN-5482-2: spip