Base Score

HIGH8.8

CVE-2022-28960

A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.

VectorNETWORK

Published Bycve@mitre.org

Published DateMay 19, 2022, 21:15

Weakness Type (CWE):CWE-116

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-SPIP-3-2-8-et-SPIP-3-1-13.html
https://github.com/spip/SPIP/commit/0394b44774555ae8331b6e65e35065dfa0bb41e4
https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf
https://thinkloveshare.com/en/hacking/rce_on_spip_and_root_me/
https://www.root-me.org/fr/Informations/Faiblesses-decouvertes/

Base Score

HIGH8.8

Weakness Type (CWE):CWE-116

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH