CVE-2019-11071Improper Input Validation in Spip

CWE-20Improper Input Validation6 documents5 sources
Severity
8.8HIGHNVD
OSV6.1
EPSS
2.5%
top 14.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
SpipDebian SpipDebian Linux
Timeline
PublishedApr 10
Latest updateMay 13

Description

SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDspip/spip3.1.03.1.10+1
debiandebian/spip< spip 3.2.4-1 (bullseye)
Debianspip/spip< 3.2.4-1+2
Ubuntuspip/spip< 3.1.4-4~deb9u3build0.18.04.1

Also affects: Debian Linux 9.0

Patches

Patch: blog.spip.netPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-v4x3-p383-7f79: SPIP 32022-05-13
OSV
spip vulnerabilities2020-09-24
OSV
CVE-2019-11071: SPIP 32019-04-10

📋Vendor Advisories

2
Ubuntu
SPIP vulnerabilities2020-09-24
Debian
CVE-2019-11071: spip - SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to exe...2019
CVE-2019-11071 — Improper Input Validation in Spip | cvebase