SB2019092912 - Multiple vulnerabilities in SPIP
Published: September 29, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-16394)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to SPIP returns different responses for existing and non-existing email addresses in an error messages from the password-reminder page. A remote attacker can brute-force the password reminder functionality and exfiltrate email addresses of existing web application users.
2) HTTP response splitting (CVE-ID: CVE-2019-16393)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not corrector process CRLF character sequences in ecrire/inc/headers.php script. A remote attacker can send specially crafted request containing CRLF sequence and make the application send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
3) Cross-site scripting (CVE-ID: CVE-2019-16392)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in prive/formulaires/login.php. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Improper access control (CVE-ID: CVE-2019-16391)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php scripts. A remote authenticated website visitor can bypass implemented security restrictions and modify any published content and execute other modifications in the database
Remediation
Install update from vendor's website.
References
- https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html
- https://core.spip.net/issues/4171
- https://seclists.org/bugtraq/2019/Sep/40
- https://www.debian.org/security/2019/dsa-4532
- https://zone.spip.net/trac/spip-zone/changeset/117577/spip-zone
- https://zone.spip.net/trac/spip-zone/changeset/117578/spip-zone
- https://core.spip.net/issues/4362
- https://git.spip.net/SPIP/spip/commit/0b832408b0aabd5b94a81e261e9413c0f31a19f1
- https://git.spip.net/SPIP/spip/commit/3c12a82c7d9d4afd09e708748fa82e7836174028
- https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html?lang=fr
- https://git.spip.net/SPIP/spip/commit/187952ce85e73b52c2753f2d54fc2c44807b8f79
- https://git.spip.net/SPIP/spip/commit/3cbc758400323ab006c00ea78eacdb8f76aa5f66