CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.7%
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell
metacharacters from the host field, allowing a remote attacker to cause
remote code execution.
Author | Note |
---|---|
seth-arnold | The patches look like this is a simple black-list functionality but doesn’t black-list $() or `` or <() or any other number of shell metacharacters. I expect this is still broken and should use a whitelist of a-z0-9_-. |
msalvatore | “SPIP 3.0.x and earlier versions are not affected by this issue.” |
contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta
core.spip.net/projects/spip/repository/revisions/23593
core.spip.net/projects/spip/repository/revisions/23594
launchpad.net/bugs/cve/CVE-2017-9736
nvd.nist.gov/vuln/detail/CVE-2017-9736
security-tracker.debian.org/tracker/CVE-2017-9736
www.cve.org/CVERecord?id=CVE-2017-9736
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.7%