CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Published: Feb 28, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-27372
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
spip / spip	4.2.0-alpha2	4.2.0-alpha2.x
spip / spip	4.2.0-alpha	4.2.0-alpha.x
spip / spip	4.2.0	4.2.0.x
spip / spip	4.1.0	4.1.8
spip / spip	4.0.0	4.0.10
spip / spip	-	3.2.18
debian / debian_linux	11.0	11.0.x

http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
http://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html
https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266
https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d
https://packetstorm.news/files/id/171921
https://packetstorm.news/files/id/173044
https://www.debian.org/security/2023/dsa-5367

Vulnerability Database

CVE-2023-27372