CVE-2025-71241
Last modified
CVE-2025-71241 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Spip | Spip | >= 4.1.0, < 4.1.20 |
| Spip | Spip | >= 4.2.0, < 4.2.17 |
| Spip | Spip | >= 4.3.0, < 4.3.6 |
References
- https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6-SPIP-4-2-17-SPIP-4-1-20.htmlRelease Notes, Vendor Advisory
- https://www.vulncheck.com/advisories/spip-cross-site-scripting-in-private-areaThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-71241?
How severe is CVE-2025-71241?
How do I fix CVE-2025-71241?
Are you affected by CVE-2025-71241?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST