Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-27372 — Deserialization of Untrusted Data in Spip

CWE-502 — Deserialization of Untrusted Data11 documents10 sources

Severity

9.8CRITICALNVD

OSV6.1

EPSS

93.1%

top 0.20%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Spip Debian Spip Debian Linux

Timeline

PublishedFeb 28

Latest updateMar 4

Description

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDspip/spip4.0.0 — 4.0.10+3

▶debiandebian/spip< spip 3.2.11-3+deb11u7 (bullseye)

▶Debianspip/spip< 3.2.11-3+deb11u7+2

▶Ubuntuspip/spip< 3.1.4-4~deb9u5ubuntu0.1~esm2+1

Also affects: Debian Linux 11.0

Patches

Patch: git.spip.net ↗Patch: git.spip.net ↗Patch: git.spip.net ↗

🔴Vulnerability Details

OSV

spip vulnerabilities↗2025-03-04

▶

GHSA

GHSA-jc3f-vxgp-6jw9: SPIP before 4↗2023-02-28

▶

OSV

CVE-2023-27372: SPIP before 4↗2023-02-28

▶

VulnCheck

SPIP before 4.2.1 Remote Code Execution↗2023

▶

💥Exploits & PoCs

Exploit-DB

SPIP v4.2.0 - Remote Code Execution (Unauthenticated)↗2023-06-20

▶

Metasploit

SPIP form PHP Injection↗

▶

Nuclei

SPIP - Remote Command Execution

▶

📋Vendor Advisories

Ubuntu

SPIP vulnerabilities↗2025-03-04

▶

Debian

CVE-2023-27372: spip - SPIP before 4.2.1 allows Remote Code Execution via form values in the public are...↗2023

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter August 2024↗

▶