CVE-2023-27372

Public exploit
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Max CVSS
9.8
EPSS Score
97.15%
Published
2023-02-28
Updated
2023-06-21
SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. This vulnerability allows attackers to execute arbitrary code via a crafted POST request.
Max CVSS
9.8
EPSS Score
0.16%
Published
2023-02-27
Updated
2023-03-24
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.
Max CVSS
8.8
EPSS Score
0.45%
Published
2022-12-14
Updated
2023-01-30
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
Max CVSS
8.8
EPSS Score
0.27%
Published
2022-03-10
Updated
2022-03-18
SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.
Max CVSS
8.8
EPSS Score
0.61%
Published
2019-04-10
Updated
2020-09-28
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
Max CVSS
9.8
EPSS Score
2.81%
Published
2017-06-17
Updated
2017-11-04
Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary files via ".." sequences in the GLOBALS[type_urls] parameter, which could then be used to execute arbitrary code via resultant direct static code injection in the file parameter to spip_acces_doc.php3.
Max CVSS
6.4
EPSS Score
3.71%
Published
2006-02-09
Updated
2017-07-20
7 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!