VDB
CVE-2023-27372
CVE-2023-27372
PUBLISHED
CVSS 9.800000190734863 CRITICAL
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
EPSS 93.12% · 99.8th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.12%
99.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| debian | debian_linux | 11.0, 11.0 |
| spip | spip | 0, 4.0.0, 4.1.0 |
Exploit Intelligence
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
- (crowdsec)
…and 308 more exploits
Timeline
- Jan 20, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Jan 21, 1970 CrowdSec Sighting
- Oct 21, 2021 CrowdSec Sighting
- Apr 21, 2022 CrowdSec Sighting
- Sep 9, 2022 CrowdSec Sighting
- Sep 27, 2022 CrowdSec Sighting
- Nov 10, 2022 CrowdSec Sighting
- Feb 5, 2023 CrowdSec Sighting
- Feb 27, 2023 Metasploit Module
- Feb 28, 2023 CVE Published
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-27372 advisory
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html url
- https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266 url
- https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d url
- https://packetstorm.news/files/id/171921 url
- https://packetstorm.news/files/id/173044 url
- https://www.debian.org/security/2023/dsa-5367 url
- http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html url
- http://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html url
- https://blog.spip.net/Mise-a-jour-sortie-de-SPIP-4-2-2-SPIP-4-1-9-SPIP-4-0-11-et-SPIP-3-2-19.html advisory