CVE-2009-3041

EUVD-2009-3025
SPIP 1.9 before 1.9.2i and 2.0.x through 2.0.8 does not use proper access control for (1) ecrire/exec/install.php and (2) ecrire/index.php, which allows remote attackers to conduct unauthorized activities related to installation and backups, as exploited in the wild in August 2009.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
spipspip
1.9
spipspip
1.9:alpha2
spipspip
1.9.1
spipspip
1.9.2c:c
spipspip
1.9.2d:d
spipspip
1.9.2g:g
spipspip
1.9.2h:h
spipspip
1.9.alpha1:alpha1
spipspip
2.0:rc1
spipspip
2.0.0
spipspip
2.0.1
spipspip
2.0.2
spipspip
2.0.3
spipspip
2.0.4
spipspip
2.0.5
spipspip
2.0.6
spipspip
2.0.7
spipspip
2.0.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
3.2.11-3+deb11u10
fixed
bullseye (security)
3.2.11-3+deb11u7
fixed
sid
4.3.3+dfsg-1
fixed
trixie
4.3.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
spip
dapper
ignored
hardy
dne
intrepid
dne
jaunty
dne
karmic
ignored
lucid
not-affected
maverick
not-affected
natty
not-affected
Common Weakness Enumeration
References
http://fil.rezo.net/secu-14346-14350+14354.patch
http://secunia.com/advisories/36365
http://www.securityfocus.com/bid/36008
http://www.spip-contrib.net/SPIP-Security-Alert-new-version
https://exchange.xforce.ibmcloud.com/vulnerabilities/52381
http://fil.rezo.net/secu-14346-14350+14354.patch
http://secunia.com/advisories/36365
http://www.securityfocus.com/bid/36008
http://www.spip-contrib.net/SPIP-Security-Alert-new-version
https://exchange.xforce.ibmcloud.com/vulnerabilities/52381