Fluid Attacks Database

Description

RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via the _oups parameter.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spip	=3.2.11-3 \|\| =3.2.11-3+deb11u1 \|\| =3.2.11-3+deb11u2 \|\| =3.2.11-3+deb11u3 \|\| =3.2.11-3+deb11u4 \|\| >=0 <3.2.11-3+deb11u5	3.2.11-3+deb11u5
debian 13	spip	>=0 <4.1.5+dfsg-1	4.1.5+dfsg-1
packagist	spip/spip	>=3.1.13 <=4.1.2	-
debian 14	spip	>=0 <4.1.5+dfsg-1	4.1.5+dfsg-1

Aliases

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.