Remote Code Execution in SPIP by SPIP Team
CVE-2022-37155

8.8HIGH

Key Information:

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 14 December 2022

Summary

The vulnerability in SPIP, versions 3.1.13 through 4.1.2, allows remote authenticated users to execute arbitrary code through manipulation of the _oups parameter, potentially leading to unauthorized actions and compromising the security of the application. This vulnerability highlights the critical need for prompt updates to secure user-managed applications from exploitation.

References

https://spawnzii.github.io/posts/2022/07/how-we-have-pwne...

https://blog.spip.net/Mise-a-jour-critique-de-securite-so...

https://pastebin.com/ZH7CPc8X

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Aug 1, 2022