Primary

Context

SPIP File Upload Vulnerability Leading to Admin Account Spoofing

Vulnerability

A file upload vulnerability has been identified in SPIP version 4.1.10, allowing attackers to upload malicious SVG files containing embedded external links. This vulnerability arises from inadequate file upload filtering. Attackers can exploit this by tricking administrators into clicking on a crafted SVG logo, which redirects to a potentially harmful URL.

Impact

Exploitation of this vulnerability could lead to spoofing attacks, where an administrator is misled into clicking a malicious link, potentially causing harm to the website or its users.

Reproduction

To reproduce this vulnerability, upload an SVG file that includes a link to an external URL. Once the file is uploaded, it can be presented as a logo. When an administrator clicks on the logo, they will be redirected to the external URL, which could be harmful.

Added: Dec 16, 2025, 7:45 PM

Updated: Dec 16, 2025, 7:45 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.0

exploitability

6.5

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.0

exploitability

6.5

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SPIP File Upload Vulnerability Leading to Admin Account Spoofing

Vulnerability

Impact

Reproduction

Affected Products

SPIP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating