CVE-2022-26846

EUVD-2022-31396
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
spipspip
𝑥
< 3.2.14
spipspip
4.0.0 ≤
𝑥
< 4.0.5
debiandebian_linux
9.0
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
spip
bullseye
3.2.11-3+deb11u10
fixed
bullseye (security)
3.2.11-3+deb11u7
fixed
sid
4.3.3+dfsg-1
fixed
trixie
4.3.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
spip
bionic
Fixed 3.1.4-4~deb9u5build0.18.04.1
released
focal
needed
impish
Fixed 3.2.11-3+deb11u3build0.21.10.1
released
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
not-affected
References
https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-SPIP-3-2-14.html
https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2
https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html
https://lists.debian.org/debian-security-announce/2022/msg00060.html
https://blog.spip.net/Mise-a-jour-critique-de-securite-sorties-de-SPIP-4-0-5-et-SPIP-3-2-14.html
https://git.spip.net/spip/medias/commit/3014b845da2dd8ad15ff04b50fd9dbba388a9ca2
https://lists.debian.org/debian-lts-announce/2022/03/msg00020.html
https://lists.debian.org/debian-security-announce/2022/msg00060.html