| Name | CVE-2024-53620 |
| Description | A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Notes
Non issue reported for spip, was also filed as #1088801
Disputed by upstream: The code is not executed inside the back-office, but only
on the public part, so only after being accepted by an admin. The script is
displayed in its raw form inside the back office, so an admin can see it and
decide to publish it or not.