CVE-2024-8517

SPIP Bigup Multipart File Upload OS Command Injection

CVSS 9.8 CRITICALEPSS 94.6%CWE-73 CWE-78

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

SPIP · SPIP

public PoCs found — 4

githubgithub.com/Chocapikk/CVE-2024-8517★ 16 githubgithub.com/saadhassan77/SPIP-BigUp-Unauthenticated-RCE-Exploit-CVE-2024-8517★ 1 cve_referencethinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/unverified cve_referencevozec.fr/researchs/spip-preauth-rce-2024-big-upload/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/https://vulncheck.com/advisories/spip-upload-rce