CVE-2023-27372: Code Injection

February 28, 2023 (updated March 6, 2023)

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

References

blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266
git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d
nvd.nist.gov/vuln/detail/CVE-2023-27372
www.debian.org/security/2023/dsa-5367

Detect and mitigate CVE-2023-27372 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →