CVE-2024-7954

SPIP porte_plume Plugin Arbitrary PHP Execution

CVSS 9.8 CRITICALEPSS 89.8%CWE-1286 CWE-95

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Productos afectados

SPIP · SPIP

PoCs públicas encontradas — 10

githubgithub.com/Chocapikk/CVE-2024-7954★ 13 githubgithub.com/gh-ost00/CVE-2024-7954-RCE★ 9 githubgithub.com/bigb0x/CVE-2024-7954★ 6 githubgithub.com/TheCyberguy-17/RCE_CVE-2024-7954★ 5 githubgithub.com/0dayan0n/RCE_CVE-2024-7954-★ 2 githubgithub.com/ShivanshKuntal/Exploitation-of-a-Remote-Code-Execution-vulnerability--CVE-2024-7954-★ 1 githubgithub.com/zxj-hub/CVE-2024-7954POC★ 0 githubgithub.com/Arthikw3b/RCE-CVE-2024-7954★ 0 githubgithub.com/r0otk3r/CVE-2024-7954★ 0 cve_referencethinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/https://vulncheck.com/advisories/spip-porte-plume