CVE-2009-3041

SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
spipspip
1.9
spipspip
1.9:alpha2
spipspip
1.9.1
spipspip
1.9.2c:c
spipspip
1.9.2d:d
spipspip
1.9.2g:g
spipspip
1.9.2h:h
spipspip
1.9.alpha1:alpha1
spipspip
2.0:rc1
spipspip
2.0.0
spipspip
2.0.1
spipspip
2.0.2
spipspip
2.0.3
spipspip
2.0.4
spipspip
2.0.5
spipspip
2.0.6
spipspip
2.0.7
spipspip
2.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
3.2.11-3+deb11u10
fixed
bullseye (security)
3.2.11-3+deb11u7
fixed
sid
4.3.3+dfsg-1
fixed
trixie
4.3.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
spip
natty
not-affected
maverick
not-affected
lucid
not-affected
karmic
ignored
jaunty
dne
intrepid
dne
hardy
dne
dapper
ignored
Common Weakness Enumeration
References
http://fil.rezo.net/secu-14346-14350+14354.patch
http://secunia.com/advisories/36365
http://www.securityfocus.com/bid/36008
http://www.spip-contrib.net/SPIP-Security-Alert-new-version
https://exchange.xforce.ibmcloud.com/vulnerabilities/52381
http://fil.rezo.net/secu-14346-14350+14354.patch
http://secunia.com/advisories/36365
http://www.securityfocus.com/bid/36008
http://www.spip-contrib.net/SPIP-Security-Alert-new-version
https://exchange.xforce.ibmcloud.com/vulnerabilities/52381