Home

Description

Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-18 | Assigner VulnCheck




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

4.1.10
affected

Credits

nu11secur1ty finder

References

www.exploit-db.com/exploits/51557 (ExploitDB-51557) exploit

www.spip.net/en_rubrique25.html (SPIP Product Webpage) product

www.vulncheck.com/...count-spoofing-via-malicious-svg-upload (VulnCheck Advisory: Spip 4.1.10 Admin Account Spoofing via Malicious SVG Upload) third-party-advisory

cve.org (CVE-2023-53900)

nvd.nist.gov (CVE-2023-53900)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.