CVE-2023-27372

Public exploit
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Max CVSS
9.8
EPSS Score
97.15%
Published
2023-02-28
Updated
2023-06-21
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
Max CVSS
9.8
EPSS Score
0.16%
Published
2023-02-27
Updated
2023-03-24
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
Max CVSS
8.8
EPSS Score
0.45%
Published
2022-12-14
Updated
2023-01-30
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.
Max CVSS
8.8
EPSS Score
0.14%
Published
2022-05-19
Updated
2022-05-26
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.
Max CVSS
8.8
EPSS Score
0.21%
Published
2022-05-19
Updated
2022-05-26
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
Max CVSS
8.8
EPSS Score
0.27%
Published
2022-03-10
Updated
2022-03-18
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
Max CVSS
8.8
EPSS Score
0.17%
Published
2022-01-26
Updated
2022-02-02
SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).
Max CVSS
8.8
EPSS Score
0.08%
Published
2022-01-26
Updated
2022-02-02
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
Max CVSS
9.8
EPSS Score
0.16%
Published
2020-11-23
Updated
2021-02-04
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
Max CVSS
8.8
EPSS Score
0.61%
Published
2019-04-10
Updated
2020-09-28
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
Max CVSS
9.8
EPSS Score
2.81%
Published
2017-06-17
Updated
2017-11-04
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.
Max CVSS
8.8
EPSS Score
0.93%
Published
2017-01-18
Updated
2017-05-24
Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.
Max CVSS
8.8
EPSS Score
0.40%
Published
2017-01-18
Updated
2017-05-24
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
Max CVSS
9.8
EPSS Score
0.58%
Published
2016-04-08
Updated
2016-04-14
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
Max CVSS
9.8
EPSS Score
0.58%
Published
2016-04-08
Updated
2016-04-14
Multiple unspecified vulnerabilities in SPIP before 1.9.2.o, 2.0.x before 2.0.18, and 2.1.x before 2.1.13 have unknown impact and attack vectors that are not related to cross-site scripting (XSS), different vulnerabilities than CVE-2012-2151.
Max CVSS
10.0
EPSS Score
0.21%
Published
2012-08-14
Updated
2012-08-15
Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.33%
Published
2009-01-02
Updated
2017-08-08
17 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!