Main Vulnerability Database Vulnerabilities #VU40407

Code Injection in Debian Linux and SPIP - CVE-2016-3153

Published: April 8, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU40407

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-3153

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Debian
spip.net

Affected software:
Debian Linux
SPIP

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

How to mitigate CVE-2016-3153

Install update from vendor's website.

Sources

http://www.debian.org/security/2016/dsa-3518
https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-1-SPIP-3-0-22-et-SPIP-2-1.html?lang=fr
https://core.spip.net/projects/spip/repository/revisions/22911

Code Injection in Debian Linux and SPIP - CVE-2016-3153

Detailed vulnerability description

How to mitigate CVE-2016-3153

Sources

Please verify you're human