CVE-2023-27372

Published Feb 28, 2023

Last updated a year ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2023-27372 is a Remote Code Execution (RCE) vulnerability found in SPIP, an open-source content management system (CMS) used for website publishing. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers. The vulnerability stems from the improper handling of serialization within form values in the public-facing area of SPIP. By submitting maliciously crafted serialized objects through form fields, an attacker can exploit this weakness to inject and execute arbitrary code on the underlying server. This issue affects SPIP versions prior to 4.2.1, including versions before 3.2.18, 4.0.10, and 4.1.8.

Description
SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Source
cve@mitre.org
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-502

Social media

Hype score
Not currently trending

  1. CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two

    @Chocapikk_

    19 Feb 2026

    1621 Impressions

    4 Retweets

    21 Likes

    3 Bookmarks

    2 Replies

    0 Quotes

  2. CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two

    @Chocapikk_

    19 Feb 2026

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-71243 - SPIP Saisies Plugin RCE Advisory dropped today, PoC ready 30 minutes later. Full AI-assisted reversal from patch diff to confirmed RCE. Same exploitation pattern as CVE-2023-27372 - unsanitized input into SPIP's template engine with interdire_scripts=false. Two

    @Chocapikk_

    19 Feb 2026

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Boot-To-Root / Publisher - TryHackMe اللاب جدا طويل عشان افصله للاسف بس بحاول اختصر ثغره الويب كانت في spip - cve-2023-27372 ومن بعدها تطلع اليوزر ومن بعد اليوزر لازم تدخل بالبارت

    @mr0xlord

    26 Oct 2025

    2876 Impressions

    4 Retweets

    63 Likes

    34 Bookmarks

    1 Reply

    0 Quotes

  5. CVE-2023-27372 is a privilege escalation vulnerability in Ivanti Avalanche, an enterprise MDM (mobile device management) system. GitHub: https://t.co/RoXcvgGE4N #CVE #PHP #vulnerable https://t.co/SE9B0Nd7j0 https://t.co/5rIYnccwz5

    @CyberPentestLab

    14 Feb 2025

    48 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.