CVE-2023-27372

Summary

CVE	CVE-2023-27372
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-02-28 20:15:00 UTC
Updated	2023-06-21 18:15:00 UTC
Description	SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	11.0	All	All	All
Application	Spip	Spip	All	All	All	All
Application	Spip	Spip	4.2.0	-	All	All
Application	Spip	Spip	4.2.0	alpha	All	All
Application	Spip	Spip	4.2.0	alpha2	All	All

References

Reference	Source	Link	Tags
Debian -- Security Information -- DSA-5367-1 spip	DEBIAN	www.debian.org
Fix: Sanitizer toutes les valeurs passées aux formulaires · 96fbeb3871 - spip - SPIP on GIT	MISC	git.spip.net
Mise à jour critique de sécurité : sortie de SPIP 4.2.1, SPIP 4.1.8, SPIP (...) - SPIP Blog	MISC	blog.spip.net
SPIP Remote Command Execution ≈ Packet Storm	MISC	packetstormsecurity.com
Fix: Sanitizer toutes les valeurs passées aux formulaires · 5aedf49b89 - spip - SPIP on GIT	MISC	git.spip.net
SPIP 4.2.1 Remote Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181621 Debian Security Update for spip (DLA 3347-2)
181669 Debian Security Update for spip (DSA 5367-1)
183010 Debian Security Update for spip (CVE-2023-27372)