CVE-2017-9736 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 88%

Vendor	Product	Version
spip	spip	3.1.0
spip	spip	3.1.0:alpha
spip	spip	3.1.0:beta
spip	spip	3.1.0:rc
spip	spip	3.1.0:rc2
spip	spip	3.1.0:rc3
spip	spip	3.1.1
spip	spip	3.1.2
spip	spip	3.1.3
spip	spip	3.1.4
spip	spip	3.1.5
spip	spip	3.2:alpha-1
spip	spip	3.2.0:beta
spip	spip	3.2.0:beta2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

spip

bullseye	3.2.11-3+deb11u10 fixed
jessie	not-affected
wheezy	not-affected
bullseye (security)	3.2.11-3+deb11u7 fixed
sid	4.3.3+dfsg-1 fixed
trixie	4.3.3+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

spip

eoan	not-affected
disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	not-affected
zesty	ignored
yakkety	ignored
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://www.debian.org/security/2017/dsa-3890

https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta

https://core.spip.net/projects/spip/repository/revisions/23593

https://core.spip.net/projects/spip/repository/revisions/23594

http://www.debian.org/security/2017/dsa-3890

https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta

https://core.spip.net/projects/spip/repository/revisions/23593

https://core.spip.net/projects/spip/repository/revisions/23594