Search for vulnerabilities
| Vulnerability ID | VCID-w6e5-sagr-g7ek |
| Aliases |
CVE-2023-27372
|
| Summary | Code Injection SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. |
| Status | Published |
| Exploitability | 2.0 |
| Weighted Severity | 0.8 |
| Risk | 1.6 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.9312 | https://api.first.org/data/v1/epss?cve=CVE-2023-27372 |
| Data source | Metasploit |
|---|---|
| Description | This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1. |
| Note | Stability: - crash-safe Reliability: - repeatable-session SideEffects: - ioc-in-logs |
| Ransomware campaign use | Unknown |
| Source publication date | Feb. 27, 2023 |
| Platform | Linux,PHP,Unix,Windows |
| Source URL | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/spip_rce_form.rb |
| Data source | Exploit-DB |
|---|---|
| Date added | June 20, 2023 |
| Description | SPIP v4.2.0 - Remote Code Execution (Unauthenticated) |
| Ransomware campaign use | Known |
| Source publication date | June 20, 2023 |
| Exploit type | webapps |
| Platform | php |
| Source update date | June 21, 2023 |
| Percentile | 0.99799 |
| EPSS Score | 0.9312 |
| Published At | May 30, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-30T20:59:52.035757+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/spip/spip/CVE-2023-27372.yml | 38.6.0 |