SPIP versions 4.2.1 and below suffer from an unauthenticated remote code execution vulnerability.
bc549f06980b67c5d5fb853b317d52b6bf509cd5c2baedf878192f640f78097d
This Metasploit module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are below 3.2.18, below 4.0.10, below 4.1.18 and below 4.2.1.
da36b42d35a291178bebac45397335e931352a6a022f64275dfb7fc469079f1f
Debian Linux Security Advisory 5367-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code.
1d4b1b1ced26b5ac97eb9419c445bb93b485a6908145b4ed3c2bfbf29a5223b3