First published: Tue Feb 28 2023(Updated: )
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Spip Spip | <3.2.18 | |
Spip Spip | >=4.0.0<4.0.10 | |
Spip Spip | >=4.1.0<4.1.8 | |
Spip Spip | =4.2.0 | |
Spip Spip | =4.2.0-alpha | |
Spip Spip | =4.2.0-alpha2 | |
Debian Debian Linux | =11.0 | |
debian/spip | <=3.2.4-1+deb10u9 | 3.2.4-1+deb10u11 3.2.11-3+deb11u9 3.2.11-3+deb11u7 4.1.9+dfsg-1+deb12u2 4.1.12+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-27372 is a vulnerability in SPIP before version 4.2.1 that allows remote code execution via form values in the public area because serialization is mishandled.
CVE-2023-27372 has a severity rating of 9.8, classified as critical.
SPIP versions 3.2.18, 4.0.10, 4.1.8, and 4.2.0 are affected by CVE-2023-27372.
To fix CVE-2023-27372, you should update SPIP to version 3.2.18, 4.0.10, 4.1.8, or 4.2.1.
You can find more information about CVE-2023-27372 at the following references: http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html, http://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html, https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html