CVE-2022-37155Code Injection in Spip

CWE-94Code Injection6 documents5 sources
Severity
8.8HIGHNVD
OSV6.1
EPSS
6.2%
top 9.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SpipDebian Spip
Timeline
PublishedDec 14
Latest updateMar 4

Description

RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

debiandebian/spip< spip 3.2.11-3+deb11u5 (bullseye)
Debianspip/spip< 3.2.11-3+deb11u5+2
Ubuntuspip/spip< 3.1.4-4~deb9u5ubuntu0.1~esm2+1
NVDspip/spip3.1.134.1.2

Patches

Patch: blog.spip.netPatch: github.comPatch: blog.spip.net

🔴Vulnerability Details

3
OSV
spip vulnerabilities2025-03-04
GHSA
GHSA-7c7w-25xj-4mp8: RCE in SPIP 32022-12-14
OSV
CVE-2022-37155: RCE in SPIP 32022-12-14

📋Vendor Advisories

2
Ubuntu
SPIP vulnerabilities2025-03-04
Debian
CVE-2022-37155: spip - RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute ar...2022
CVE-2022-37155 — Code Injection in Debian Spip | cvebase