9.8

CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SpipSpip Version < 3.2.18
SpipSpip Version >= 4.0.0 < 4.0.10
SpipSpip Version >= 4.1.0 < 4.1.8
SpipSpip Version4.2.0 Update-
SpipSpip Version4.2.0 Updatealpha
SpipSpip Version4.2.0 Updatealpha2
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.64% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
http://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html
https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
Release Notes
https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266
Patch
https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d
Patch
https://www.debian.org/security/2023/dsa-5367
Third Party Advisory
https://packetstorm.news/files/id/171921
https://packetstorm.news/files/id/173044