CVE-2021-44123

EUVD-2021-30979
SPIP 4.0.0 is affected by a remote command execution vulnerability. To exploit the vulnerability, an attacker must craft a malicious picture with a double extension, upload it and then click on it to execute it.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
spipspip
4.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
3.2.11-3+deb11u10
fixed
bullseye (security)
3.2.11-3+deb11u7
fixed
sid
4.3.3+dfsg-1
fixed
trixie
4.3.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
spip
bionic
Fixed 3.1.4-4~deb9u5build0.18.04.1
released
focal
Fixed 3.2.7-1ubuntu0.1
released
impish
Fixed 3.2.11-3+deb11u3build0.21.10.1
released
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a
https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a