CVE-2023-27372
published 2023-02-28CVE-2023-27372: SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.64%
99.9th percentile
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | spip | < spip 3.2.11-3+deb11u7 (bullseye) | spip 3.2.11-3+deb11u7 (bullseye) |
| spip | spip | < 3.2.18 | 3.2.18 |
| spip | spip | — | — |
| spip | spip | >= 0 < 3.2.11-3+deb11u7 | 3.2.11-3+deb11u7 |
| spip | spip | >= 0 < 4.1.8+dfsg-1 | 4.1.8+dfsg-1 |
| spip | spip | >= 0 < 4.1.8+dfsg-1 | 4.1.8+dfsg-1 |
| spip | spip | >= 0 < 3.1.4-4~deb9u5ubuntu0.1~esm2 | 3.1.4-4~deb9u5ubuntu0.1~esm2 |
| spip | spip | >= 0 < 3.2.7-1ubuntu0.1+esm2 | 3.2.7-1ubuntu0.1+esm2 |
| spip | spip | >= 4.0.0 < 4.0.10 | 4.0.10 |
| spip | spip | >= 4.1.0 < 4.1.8 | 4.1.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the `oubli` POST parameter with a serialized PHP payload. Monitor POST requests to /spip.php?page=spip_pass containing `formulaire_action=oubli` and a serialized string in the `oubli` parameter (e.g., `s:<len>:"<payload>";`). ↗
- →Exploitation is unauthenticated and targets the public-facing form area. No session or authentication cookie is required, so any POST to /spip.php?page=spip_pass with serialized data in `oubli` from an unauthenticated source is suspicious. ↗
- →Successful exploitation response contains PHP environment disclosure strings. Alert on HTTP responses to /spip.php?page=spip_pass containing both 'PHP Extension' and 'PHP Version' in the body, which indicates RCE via phpinfo() or similar. ↗
- ·The Metasploit module lists `<4.1.18` as a vulnerable boundary for branch 4.1, which conflicts with the NVD/vendor advisory stating the fix is `4.1.8`. Verify the correct patched version for branch 4.1 before using version-based detection. ↗
- ·The CSRF token (`formulaire_action_args`) is dynamically extracted from the initial GET response before the exploit POST is sent. Static signatures must account for a variable token value in that field. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
SPIP vulnerabilities
vendor_ubuntu·2025-03-04·CVSS 6.2
CVE-2022-28959 [MEDIUM] SPIP vulnerabilities
Title: SPIP vulnerabilities
Summary: Several security issues were fixed in spip.
It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)
It was discovered that SPIP did not properly sanitize certain
Debian
CVE-2023-27372: spip - SPIP before 4.2.1 allows Remote Code Execution via form values in the public are...
vendor_debian·2023·CVSS 9.8
CVE-2023-27372 [CRITICAL] CVE-2023-27372: spip - SPIP before 4.2.1 allows Remote Code Execution via form values in the public are...
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Scope: local
bullseye: resolved (fixed in 3.2.11-3+deb11u7)
forky: resolved (fixed in 4.1.8+dfsg-1)
sid: resolved (fixed in 4.1.8+dfsg-1)
trixie: resolved (fixed in 4.1.8+dfsg-1)
OSV
spip vulnerabilities
osv·2025-03-04·CVSS 6.1
CVE-2022-23638 [MEDIUM] spip vulnerabilities
spip vulnerabilities
It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to p
GHSA
GHSA-jc3f-vxgp-6jw9: SPIP before 4
ghsa_unreviewed·2023-02-28
CVE-2023-27372 [CRITICAL] CWE-502 GHSA-jc3f-vxgp-6jw9: SPIP before 4
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
OSV
CVE-2023-27372: SPIP before 4
osv·2023-02-28·CVSS 9.8
CVE-2023-27372 [CRITICAL] CVE-2023-27372: SPIP before 4
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
VulnCheck
SPIP before 4.2.1 Remote Code Execution
vulncheck·2023·CVSS 9.8
CVE-2023-27372 [CRITICAL] SPIP before 4.2.1 Remote Code Execution
SPIP before 4.2.1 Remote Code Execution
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Affected: spip spip
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html; https://app.crowdsec.net/cti/cve-explorer/CVE-2023-27372
Exploit PoC: https://vulncheck.com/xdb/a7444b0210e4; https://vulncheck.com/xdb/ab5928501616; https://vulncheck.com/xdb/268a1b1d077a; https://vulncheck.com/xdb/04607676aadb; https://vulncheck.com/xdb/3ce4547b4b42
No detection rules found.
Exploit-DB
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)
exploitdb·2023-06-20·CVSS 9.8
CVE-2023-27372 [CRITICAL] SPIP v4.2.0 - Remote Code Execution (Unauthenticated)
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)
---
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
# Google Dork: inurl:"/spip.php?page=login"
# Date: 19/06/2023
# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)
# Vendor Homepage: https://www.spip.net/
# Software Link: https://files.spip.net/spip/archives/
# Version: \";" % (20 + len(options.command), options.command))
Metasploit
SPIP form PHP Injection
metasploit
SPIP form PHP Injection
SPIP form PHP Injection
This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
Nuclei
SPIP - Remote Command Execution
nuclei·CVSS 9.8
CVE-2023-27372 [CRITICAL] SPIP - Remote Command Execution
SPIP - Remote Command Execution
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Template:
id: CVE-2023-27372
info:
name: SPIP - Remote Command Execution
author: DhiyaneshDK,nuts7
severity: critical
description: |
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
remediation: |
Apply the latest security patches or upgrade to a patched version of SPIP.
reference:
- https://packetstormsecurity.com/files/171921
http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.htmlhttps://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.htmlhttps://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409dhttps://www.debian.org/security/2023/dsa-5367http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.htmlhttps://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.htmlhttps://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409dhttps://www.debian.org/security/2023/dsa-5367https://packetstorm.news/files/id/171921https://packetstorm.news/files/id/173044
2023-02-28
Published
Exploited in the wild