Vulnerabilities > Spip > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-06 | CVE-2024-8517 | Unspecified vulnerability in Spip SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. | 9.8 |
| 2023-02-28 | CVE-2023-27372 | SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. | 9.8 |
| 2023-02-27 | CVE-2023-24258 | SQL Injection vulnerability in Spip SPIP v4.1.5 and earlier was discovered to contain a SQL injection vulnerability via the _oups parameter. | 9.8 |
| 2020-11-23 | CVE-2020-28984 | prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters. | 9.8 |
| 2017-06-17 | CVE-2017-9736 | OS Command Injection vulnerability in Spip SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. | 9.8 |
| 2016-04-08 | CVE-2016-3154 | Code Injection vulnerability in Spip The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. | 9.8 |
| 2016-04-08 | CVE-2016-3153 | Code Injection vulnerability in multiple products SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function. | 9.8 |