CVE-2021-44122 – SPIP 4.0.0 has a CSRF vulnerability in multiple... (How to Fix)

Q: What is the severity of CVE-2021-44122?

CVE-2021-44122 has a CVSS score of 8.8 (HIGH). SPIP 4.0.0 has a CSRF vulnerability in multiple PHP files that allows authenticated attackers to execute malicious actions without user consent. Attackers can exploit this by tricking users into visiting malicious websites or combining it with XSS vulnerabilities. This affects SPIP 4.0.0 installations with authenticated user access.

📋 TL;DR

SPIP 4.0.0 has a CSRF vulnerability in multiple PHP files that allows authenticated attackers to execute malicious actions without user consent. Attackers can exploit this by tricking users into visiting malicious websites or combining it with XSS vulnerabilities. This affects SPIP 4.0.0 installations with authenticated user access.

💻 Affected Systems

Products:

SPIP

Versions: 4.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access for exploitation. Can be combined with XSS vulnerabilities for easier exploitation.

📦 What is this software?

Spip by Spip

View all CVEs affecting Spip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attackers could execute arbitrary code, modify content, change configurations, or perform administrative actions leading to complete system compromise.

🟠

Likely Case

Attackers could modify website content, create backdoors, steal session cookies, or perform unauthorized administrative actions.

🟢

If Mitigated

With proper CSRF tokens and same-site cookie policies, exploitation becomes significantly more difficult but not impossible if XSS vulnerabilities exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated user sessions and either malicious website redirection or XSS combination.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 1b8e4f404c2441c15ca6540b9a6d8e50cff219db

Vendor Advisory: https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db

Restart Required: No

Instructions:

1. Update SPIP to latest version. 2. Apply the specific patch from the git commit. 3. Verify CSRF protection is enabled in all forms.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF tokens to all forms and validate them server-side

SameSite Cookie Policy

all

Set SameSite=Strict or Lax on session cookies

session.cookie_samesite = Strict

🧯 If You Can't Patch

Implement web application firewall rules to detect CSRF patterns
Restrict authenticated user permissions to minimum necessary

🔍 How to Verify

Check if Vulnerable:

Check if running SPIP 4.0.0 and examine affected files for CSRF protection

Check Version:

Check SPIP configuration files or admin panel for version information

Verify Fix Applied:

Verify SPIP version is updated and test forms for CSRF token implementation

📡 Detection & Monitoring

Log Indicators:

Multiple form submissions without referrer headers
Unexpected administrative actions from user sessions

Network Indicators:

Requests from unexpected origins with authenticated session cookies

SIEM Query:

source_ip NOT IN trusted_ips AND (uri CONTAINS 'aiguiller.php' OR uri CONTAINS 'balises.php') AND status=200

📊 Metadata

CVE ID: CVE-2021-44122

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db Patch,Vendor Advisory
https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44122, you might also want to check these: