SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:LSpip
APPSpip4.4.10 – 4.4.13 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-27475CRITICAL9.2PL ✓ten sam produkt
SPIP — Insecure Deserialization umożliwiająca RCE w obszarze publicznym
CVE-2024-8517CRITICAL9.8PL ✓ten sam produkt
SPIP — zdalny command injection przez multipart upload bez uwierzytelnienia
CVE-2023-27372CRITICAL9.8ten sam produkt
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mis...
CVE-2023-24258CRITICAL9.8ten sam produkt
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This ...
CVE-2020-28984CRITICAL9.8ten sam produkt
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, disp...