CVE-2025-71242

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

S

PIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen.

References

Link	Resource
https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6.html	Broken Link
https://git.spip.net/spip/spip	Product
https://www.vulncheck.com/advisories/spip-authorization-bypass-leading-to-content-disclosure	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:spip:spip::::::::
	cpe:2.3:a:spip:spip::::::::
	cpe:2.3:a:spip:spip::::::::

History

02 Mar 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 6.5

24 Feb 2026, 19:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:spip:spip::::::::
First Time		Spip spip Spip
References	~~() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6.html -~~	() https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6.html - Broken Link
References	~~() https://git.spip.net/spip/spip -~~	() https://git.spip.net/spip/spip - Product
References	~~() https://www.vulncheck.com/advisories/spip-authorization-bypass-leading-to-content-disclosure -~~	() https://www.vulncheck.com/advisories/spip-authorization-bypass-leading-to-content-disclosure - Third Party Advisory

20 Feb 2026, 21:19

Type	Values Removed	Values Added
CWE		CWE-285

19 Feb 2026, 16:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 16:27

Updated : 2026-03-02 15:16

NVD link : CVE-2025-71242

Mitre link : CVE-2025-71242

CVE.ORG link : CVE-2025-71242

JSON object : View

Products Affected

spip

CWE

CWE-285

Improper Authorization

{"id": "CVE-2025-71242", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-19T16:27:12.113", "references": [{"url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-3-6.html", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://git.spip.net/spip/spip", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/spip-authorization-bypass-leading-to-content-disclosure", "tags": ["Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "SPIP before 4.3.6, 4.2.17, and 4.1.20 allows unauthorized content disclosure in the private area. The application does not properly check authorization when displaying content of articles and sections (rubriques) in AJAX-loaded fragments, allowing an authenticated attacker to access restricted content. This vulnerability is not mitigated by the SPIP security screen."}], "lastModified": "2026-03-02T15:16:31.693", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8318A203-462B-4AA4-AB2D-B9580D120F1B", "versionEndExcluding": "4.1.20", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5E00F34-ECD3-4C0D-B716-C506FC5D4E69", "versionEndExcluding": "4.2.17", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F5A7122-0E69-4986-869A-E5048E10431D", "versionEndExcluding": "4.3.6", "versionStartIncluding": "4.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}