Arbitrary Code Execution Vulnerability in SPIP'sporte_plume Plugin
CVE-2024-7954
Key Information:
Badges
Summary
An arbitrary code execution vulnerability, CVE-2024-7954, was identified in the SPIP's porte_plume plugin, allowing remote unauthenticated attackers to execute arbitrary PHP code by sending a specially crafted HTTP request. The Cyble Sensor Intelligence report also highlighted other active vulnerabilities, phishing scams, and brute-force attacks, with recommendations for security teams to upgrade affected software, monitor and block attack attempts, and strengthen password policies. No known exploitation by ransomware groups was mentioned.
Affected Version(s)
SPIP 4.3.0-alpha < 4.3.0-alpha2
SPIP 4.2.0 < 4.2.13
SPIP 4.1.0 < 4.1.16
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CybleReferences
EPSS Score
93% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 📰
First article discovered by Cyble
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved