cbcvebase.
CVE-2023-27372
published 2023-02-28

CVE-2023-27372: SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.64%
99.9th percentile
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianspip< spip 3.2.11-3+deb11u7 (bullseye)spip 3.2.11-3+deb11u7 (bullseye)
spipspip< 3.2.183.2.18
spipspip
spipspip>= 0 < 3.2.11-3+deb11u73.2.11-3+deb11u7
spipspip>= 0 < 4.1.8+dfsg-14.1.8+dfsg-1
spipspip>= 0 < 4.1.8+dfsg-14.1.8+dfsg-1
spipspip>= 0 < 3.1.4-4~deb9u5ubuntu0.1~esm23.1.4-4~deb9u5ubuntu0.1~esm2
spipspip>= 0 < 3.2.7-1ubuntu0.1+esm23.2.7-1ubuntu0.1+esm2
spipspip>= 4.0.0 < 4.0.104.0.10
spipspip>= 4.1.0 < 4.1.84.1.8

Detection & IOCsextracted from sources · hover to see the quote

url/spip.php?page=spip_pass
url/spip.php?page=spip_pass
commandpage=spip_pass&formulaire_action=oubli&formulaire_action_args={{csrf}}&oubli=s:19:"";
  • Exploit targets the `oubli` POST parameter with a serialized PHP payload. Monitor POST requests to /spip.php?page=spip_pass containing `formulaire_action=oubli` and a serialized string in the `oubli` parameter (e.g., `s:<len>:"<payload>";`).
  • Exploitation is unauthenticated and targets the public-facing form area. No session or authentication cookie is required, so any POST to /spip.php?page=spip_pass with serialized data in `oubli` from an unauthenticated source is suspicious.
  • Successful exploitation response contains PHP environment disclosure strings. Alert on HTTP responses to /spip.php?page=spip_pass containing both 'PHP Extension' and 'PHP Version' in the body, which indicates RCE via phpinfo() or similar.
  • ·The Metasploit module lists `<4.1.18` as a vulnerable boundary for branch 4.1, which conflicts with the NVD/vendor advisory stating the fix is `4.1.8`. Verify the correct patched version for branch 4.1 before using version-based detection.
  • ·The CSRF token (`formulaire_action_args`) is dynamically extracted from the initial GET response before the exploit POST is sent. Static signatures must account for a variable token value in that field.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.