CVE-2022-37155

moderate-risk
Published 2022-12-14

RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.

Do I need to act?

~
6.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Spip

References (8)

Patch https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-1-5-SPIP...
Exploit https://github.com/Abyss-W4tcher/ab4yss-wr4iteups/blob/ffa980faa9e3598d49d6fb7de...
Exploit https://pastebin.com/ZH7CPc8X
Exploit https://spawnzii.github.io/posts/2022/07/how-we-have-pwned-root-me-in-2022/
Patch https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-1-5-SPIP...
Exploit https://github.com/Abyss-W4tcher/ab4yss-wr4iteups/blob/ffa980faa9e3598d49d6fb7de...
Exploit https://pastebin.com/ZH7CPc8X
Exploit https://spawnzii.github.io/posts/2022/07/how-we-have-pwned-root-me-in-2022/
44
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal