First published: Fri Apr 08 2016(Updated: )
The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
SPIP SPIP | =2.0.0 | |
SPIP SPIP | =2.0.1 | |
SPIP SPIP | =2.0.2 | |
SPIP SPIP | =2.0.3 | |
SPIP SPIP | =2.0.4 | |
SPIP SPIP | =2.0.5 | |
SPIP SPIP | =2.0.6 | |
SPIP SPIP | =2.0.7 | |
SPIP SPIP | =2.0.8 | |
SPIP SPIP | =2.0.9 | |
SPIP SPIP | =2.0.10 | |
SPIP SPIP | =2.0.11 | |
SPIP SPIP | =2.0.12 | |
SPIP SPIP | =2.0.13 | |
SPIP SPIP | =2.0.14 | |
SPIP SPIP | =2.0.15 | |
SPIP SPIP | =2.0.16 | |
SPIP SPIP | =2.0.17 | |
SPIP SPIP | =2.0.18 | |
SPIP SPIP | =2.0.19 | |
SPIP SPIP | =2.0.20 | |
SPIP SPIP | =2.0.21 | |
SPIP SPIP | =2.0.22 | |
SPIP SPIP | =2.1.1 | |
SPIP SPIP | =2.1.2 | |
SPIP SPIP | =2.1.3 | |
SPIP SPIP | =2.1.4 | |
SPIP SPIP | =2.1.5 | |
SPIP SPIP | =2.1.6 | |
SPIP SPIP | =2.1.7 | |
SPIP SPIP | =2.1.8 | |
SPIP SPIP | =2.1.9 | |
SPIP SPIP | =2.1.10 | |
SPIP SPIP | =2.1.11 | |
SPIP SPIP | =2.1.12 | |
SPIP SPIP | =2.1.13 | |
SPIP SPIP | =2.1.14 | |
SPIP SPIP | =2.1.15 | |
SPIP SPIP | =2.1.16 | |
SPIP SPIP | =2.1.17 | |
SPIP SPIP | =2.1.18 | |
SPIP SPIP | =2.1.19 | |
SPIP SPIP | =3.0.0 | |
SPIP SPIP | =3.0.1 | |
SPIP SPIP | =3.0.2 | |
SPIP SPIP | =3.0.3 | |
SPIP SPIP | =3.0.4 | |
SPIP SPIP | =3.0.5 | |
SPIP SPIP | =3.0.6 | |
SPIP SPIP | =3.0.7 | |
SPIP SPIP | =3.0.8 | |
SPIP SPIP | =3.0.9 | |
SPIP SPIP | =3.0.10 | |
SPIP SPIP | =3.0.11 | |
SPIP SPIP | =3.0.13 | |
SPIP SPIP | =3.0.14 | |
SPIP SPIP | =3.0.15 | |
SPIP SPIP | =3.0.16 | |
SPIP SPIP | =3.0.17 | |
SPIP SPIP | =3.0.19 | |
SPIP SPIP | =3.0.20 | |
SPIP SPIP | =3.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-3154 has a high severity rating as it allows remote attackers to execute arbitrary PHP code.
To fix CVE-2016-3154, upgrade your SPIP installation to version 2.1.19, 3.0.22, or 3.1.1 or later.
CVE-2016-3154 affects SPIP 2.x versions before 2.1.19, 3.0.x versions before 3.0.22, and 3.1.x versions before 3.1.1.
PHP object injection attacks allow attackers to inject malicious serialized objects into application code, which can lead to arbitrary code execution.
It is recommended to regularly update your SPIP version and monitor for any new vulnerabilities similar to CVE-2016-3154.