1. Ubuntu Security Notices
  2. USN-7318-1

USN-7318-1: SPIP vulnerabilities

Publication date

4 March 2025

Overview

Several security issues were fixed in spip.

Releases

Packages

  • spip - website engine for publishing

Details

It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform SQL injection
attacks. This issue...

It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform SQL injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28961)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote authenticated attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-37155)

It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform SQL injection
attacks. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2023-24258)

It was discovered that SPIP did not properly handle serialization under
certain circumstances. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2023-27372)

It was discovered that SPIP did not properly sanitize HTTP requests. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2024-8517)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
24.10 oracular spip –  4.3.1+dfsg-1ubuntu0.1
20.04 focal spip –  3.2.7-1ubuntu0.1+esm2  
18.04 bionic spip –  3.1.4-4~deb9u5ubuntu0.1~esm2  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›