Vulnerability Details : CVE-2019-11071
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
Vulnerability category: Input validationExecute code
Products affected by CVE-2019-11071
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
- cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-11071
Top countries where our scanners detected CVE-2019-11071
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-11071 33
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-11071!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-11071
0.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11071
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-11071
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11071
-
https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html
Mise à jour CRITIQUE de sécurité : Sortie de SPIP 3.1.10 et SPIP (...) - SPIP BlogPatch;Vendor Advisory
-
https://github.com/spip/SPIP/compare/1e3872c...9861a47
Comparing 1e3872c...9861a47 · spip/SPIP · GitHubThird Party Advisory
-
https://github.com/spip/SPIP/commit/3ef87c525bc0768c926646f999a54222b37b5d36
v1.3.11 (securiser var_memotri) · spip/SPIP@3ef87c5 · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4429
Debian -- Security Information -- DSA-4429-1 spipThird Party Advisory
-
https://usn.ubuntu.com/4536-1/
USN-4536-1: SPIP vulnerabilities | Ubuntu security notices | Ubuntu
-
https://github.com/spip/SPIP/commit/824d17f424bf77d17af89c18c3dc807a3199567e
sanitizer var_memotri avant de l'utiliser (G0uz) · spip/SPIP@824d17f · GitHubPatch;Third Party Advisory
Jump to