==========================================================================
Ubuntu Security Notice USN-4536-1
September 24, 2020

spip vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in SPIP.

Software Description:
– spip: website engine for publishing

Details:

Youssouf Boulouiz discovered that SPIP incorrectly handled login error
messages. A remote attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2019-16392)

Gilles Vincent discovered that SPIP incorrectly handled password reset
requests. A remote attacker could possibly use this issue to cause SPIP to
enumerate registered users. (CVE-2019-16394)

Guillaume Fahrner discovered that SPIP did not properly sanitize input. A
remote authenticated attacker could possibly use this issue to execute
arbitrary code on the host server. (CVE-2019-11071)

Sylvain Lefevre discovered that SPIP incorrectly handled user
authorization. A remote attacker could possibly use this issue to modify
and publish content and modify the database. (CVE-2019-16391)

It was discovered that SPIP did not properly sanitize input. A remote
attacker could, through cross-site scripting (XSS) and PHP injection,
exploit this to inject arbitrary web script or HTML. (CVE-2017-15736)

Alexis Zucca discovered that SPIP incorrectly handled the media plugin. A
remote authenticated attacker could possibly use this issue to write to
the database. (CVE-2019-19830)

Christophe Laffont discovered that SPIP incorrectly handled redirect URLs.
An attacker could use this issue to cause SPIP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2019-16393)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
spip 3.1.4-4~deb9u3build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4536-1
CVE-2017-15736, CVE-2019-11071, CVE-2019-16391, CVE-2019-16392,
CVE-2019-16393, CVE-2019-16394, CVE-2019-19830

Package Information:
https://launchpad.net/ubuntu/+source/spip/3.1.4-4~deb9u3build0.18.04.1

—–BEGIN PGP SIGNATURE—–

iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl9szhUACgkQtGdj0GOh
2+xnowgAqQDixhBjcj27t1GegGg8ZTuegkqUqApaf+G9gcB2ifGugiXmioghtTZ7
WslXlpGsuHkDG1+2TUGGcWcDg2MQ6lY2xJshaSSrd74qAGI/5cgQogG3ukKV2DW2
j6gLmw9hTCMtwKWtOrciGwm4Vp/WoemB26J+3b7T5HlxSbXKGFXkjacJbpqWlOct
Z66L5aBST8y9On3GCa255MvNyXFEP65NydADpiq3ttq3PT1kJqRiQyu98NysYKRG
4FkSeOWpmeYsHkKdq3M9/Qn0NKyjD5pi9S8foxFJQPaM59t4P54dmz/WuUxexcwv
bwo0Hg533d9ovVEDNj86SmMh3TTADw==
=wVf2
—–END PGP SIGNATURE—–
—