Vulnerability in N/a
CVE-2023-27372
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
EPSS: 0.931 (99.8th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
Public proof-of-concept exploits
References
- blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-…
- git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266
- git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d
- DSA-5367 (vendor-advisory)
- packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
- packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html
Frequently asked questions
- What is CVE-2023-27372?
- CVE-2023-27372 is a vulnerability in N/a. Published 2023-02-28.
- Is CVE-2023-27372 known to be exploited?
- 40 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.