Fluid Attacks Database

Description

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	spip/spip	>=3.1.0 <=3.1.5 \|\| =3.2.0	3.1.10, 3.2.4
debian 13	spip	>=0 <3.1.4-3	3.1.4-3
debian 11	spip	>=0 <3.1.4-3	3.1.4-3
debian 14	spip	>=0 <3.1.4-3	3.1.4-3

Aliases

1. CVE-2017-97362. NVD-2017-97363. OSV-2017-97364. OSV-DEBIAN-2017-97365. GCVE-2017-97366. SECURITY-TRACKER-CVE-2017-9736

References

1. https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta2. https://core.spip.net/projects/spip/repository/revisions/235933. https://core.spip.net/projects/spip/repository/revisions/23594

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.