#VU42367 Code Injection in SPIP - CVE-2013-4557

Cybersecurity Help s.r.o.

Published: 2013-11-18 | Updated: 2020-08-10

Vulnerability identifier: #VU42367

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-4557

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SPIP
Web applications / CMS

Vendor: spip.net

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The Security Screen (_core_/securite/ecran_securite.php) before 1.1.8 for SPIP, as used in SPIP 3.0.x before 3.0.12, allows remote attackers to execute arbitrary PHP via the connect parameter.

Mitigation
Install update from vendor's website.

Vulnerable software versions

SPIP: 3.0.0 - 3.0.11

External links
https://secunia.com/advisories/55551
https://www.openwall.com/lists/oss-security/2013/11/10/4
https://www.securitytracker.com/id/1029317
https://www.spip.net/fr_article5646.html
https://www.spip.net/fr_article5648.html
https://zone.spip.org/trac/spip-zone/changeset/75105/_core_/securite/ecran_securite.php
https://www.debian.org/security/2013/dsa-2794

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in spip.net SPIP