CVE-2023-27372
spip - security update
9.8
CRITICAL
CVSS 3.1
EPSS 93.1%
Description
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
How to fix CVE-2023-27372
To remediate CVE-2023-27372, upgrade the affected package to a fixed version below.
- Debian/spip—upgrade to 3.2.11-3+deb11u7 or later
- Debian/spip—upgrade to 3.2.11-3+deb11u7 or later
Is CVE-2023-27372 being exploited?
Likely — EPSS is 93.1%, placing CVE-2023-27372 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 3.2.11-3+deb11u7
- from 0, < 3.2.11-3+deb11u7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |