========================================================================== Ubuntu Security Notice USN-4536-1 September 24, 2020 spip vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS Summary: Several security issues were fixed in SPIP. Software Description: - spip: website engine for publishing Details: Youssouf Boulouiz discovered that SPIP incorrectly handled login error messages. A remote attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2019-16392) Gilles Vincent discovered that SPIP incorrectly handled password reset requests. A remote attacker could possibly use this issue to cause SPIP to enumerate registered users. (CVE-2019-16394) Guillaume Fahrner discovered that SPIP did not properly sanitize input. A remote authenticated attacker could possibly use this issue to execute arbitrary code on the host server. (CVE-2019-11071) Sylvain Lefevre discovered that SPIP incorrectly handled user authorization. A remote attacker could possibly use this issue to modify and publish content and modify the database. (CVE-2019-16391) It was discovered that SPIP did not properly sanitize input. A remote attacker could, through cross-site scripting (XSS) and PHP injection, exploit this to inject arbitrary web script or HTML. (CVE-2017-15736) Alexis Zucca discovered that SPIP incorrectly handled the media plugin. A remote authenticated attacker could possibly use this issue to write to the database. (CVE-2019-19830) Christophe Laffont discovered that SPIP incorrectly handled redirect URLs. An attacker could use this issue to cause SPIP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-16393) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: spip 3.1.4-4~deb9u3build0.18.04.1 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4536-1 CVE-2017-15736, CVE-2019-11071, CVE-2019-16391, CVE-2019-16392, CVE-2019-16393, CVE-2019-16394, CVE-2019-19830 Package Information: https://launchpad.net/ubuntu/+source/spip/3.1.4-4~deb9u3build0.18.04.1