SPIP Insecure Deserialization Vulnerability Allowing Potential Code Execution

A vulnerability allowing insecure deserialization has been identified in SPIP versions prior to 4.4.9. This issue arises in the public area through the table_valeur filter and the DATA iterator, both of which accept serialized data. An attacker with the ability to inject malicious serialized content—requiring either prior access or another vulnerability—can exploit this flaw to trigger arbitrary object instantiation, potentially leading to code execution. The use of serialized data in these components has been deprecated and will be removed in SPIP 5. Notably, this vulnerability is not mitigated by the SPIP security screen.

Impact

Exploitation of this vulnerability could lead to arbitrary object instantiation and potentially allow for code execution on the server.

Remediation

Users are advised to update to SPIP version 4.4.9, which addresses this vulnerability. The update can be performed using the SPIP loader or by downloading the latest version from the SPIP official website.