Fluid Attacks Database

Description

SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spip	>=0 <3.2.4-1	3.2.4-1
debian 13	spip	>=0 <3.2.4-1	3.2.4-1
packagist	spip/spip	>=3.1.0 <3.1.10 \|\| >=3.2.0 <3.2.4	3.1.10, 3.2.4
debian 14	spip	>=0 <3.2.4-1	3.2.4-1

Aliases

1. CVE-2019-110712. NVD-2019-110713. OSV-DEBIAN-2019-110714. OSV-2019-110715. GCVE-2019-110716. SECURITY-TRACKER-CVE-2019-11071

References

1. https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-10-et-SPIP-3-2-4.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.