Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-4557Code Injection in Spip

CWE-94Code Injection5 documents5 sources
Severity
7.5HIGHNVD
EPSS
69.5%
top 1.34%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
SpipDebian Spip
Timeline
PublishedNov 18
Latest updateMay 17

Description

The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/spip< spip 2.1.24-1 (bullseye)
Debianspip/spip< 2.1.24-1+2
NVDspip/spip12 versions+11

Patches

Patch: zone.spip.orgPatch: zone.spip.org

🔴Vulnerability Details

2
GHSA
GHSA-p3c2-jj59-pgg6: The Security Screen (_core_/securite/ecran_securite2022-05-17
OSV
CVE-2013-4557: The Security Screen (_core_/securite/ecran_securite2013-11-18

💥Exploits & PoCs

1
Metasploit
SPIP connect Parameter PHP Injection

📋Vendor Advisories

1
Debian
CVE-2013-4557: spip - The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, ...2013
CVE-2013-4557 — Code Injection in Debian Spip | cvebase