| Description: | | SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.SPIP is a free software of SPIP open source for creating Internet sites. SPIP versions prior to 2.0.21, 2.1.16, and 3.0.3 have security vulnerabilities. The vulnerability is caused by the direct concatenation of commands and execution without effective authentication of the connect parameter. It allows an unauthenticated attacker to execute arbitrary operating system commands on the server by concatenating system commands through this vulnerability to obtain server permissions. |