Vulnerability Database

296,213

Total vulnerabilities in the database

CVE-2017-9736

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Published: Jun 17, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-9736
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
spip / spip	3.1.0-alpha	3.1.0-alpha.x
spip / spip	3.2.0-beta	3.2.0-beta.x
spip / spip	3.1.0-rc3	3.1.0-rc3.x
spip / spip	3.1.5	3.1.5.x
spip / spip	3.1.4	3.1.4.x
spip / spip	3.1.0-rc	3.1.0-rc.x
spip / spip	3.2-alpha-1	3.2-alpha-1.x
spip / spip	3.1.0	3.1.0.x
spip / spip	3.1.3	3.1.3.x
spip / spip	3.1.1	3.1.1.x
spip / spip	3.2.0-beta2	3.2.0-beta2.x
spip / spip	3.1.0-rc2	3.1.0-rc2.x
spip / spip	3.1.2	3.1.2.x
spip / spip	3.1.0-beta	3.1.0-beta.x