CVE-2024-53619

NameCVE-2024-53619
DescriptionAn authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088800

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spip (PTS)bullseye3.2.11-3+deb11u10vulnerable
bullseye (security)3.2.11-3+deb11u7vulnerable
sid, trixie4.3.4+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spipsource(unstable)(unfixed)1088800

Notes

[bookworm] - spip <postponed> (Minor issue, revisit when fixed upstream)
https://grimthereaperteam.medium.com/spip-4-3-3-malicious-file-upload-xss-in-pdf-526c03bb1776

Search for package or bug name: Reporting problems