Code Injection in Debian Linux and SPIP

#VU40407 Code Injection in Debian Linux and SPIP

Published: 2016-04-08 | Updated: 2020-08-09

Vulnerability identifier: #VU40407

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3153

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Debian Linux
Operating systems & Components / Operating system
SPIP
Web applications / CMS

Vendor: Debian
spip.net

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Debian Linux: 7.0 - 8.0

SPIP: 2.0.0 - 2.0.22, 2.1.1 - 2.1.18, 3.0.0 - 3.0.20, 3.1.0

External links
http://www.debian.org/security/2016/dsa-3518
http://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-1-SPIP-3-0-22-et-SPIP-2-1.html?lang=fr
http://core.spip.net/projects/spip/repository/revisions/22911

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Code Injection in Debian Linux