Arbitrary Code Execution Vulnerability in SPIP'sporte_plume Plugin
CVE-2024-7954
Key Information:
- Vendor
- Spip
- Status
- Spip
- Vendor
- CVE Published:
- 23 August 2024
Badges
Summary
An arbitrary code execution vulnerability, CVE-2024-7954, was identified in the SPIP's porte_plume plugin, allowing remote unauthenticated attackers to execute arbitrary PHP code by sending a specially crafted HTTP request. The Cyble Sensor Intelligence report also highlighted other active vulnerabilities, phishing scams, and brute-force attacks, with recommendations for security teams to upgrade affected software, monitor and block attack attempts, and strengthen password policies. No known exploitation by ransomware groups was mentioned.
Affected Version(s)
SPIP 4.3.0-alpha < 4.3.0-alpha2
SPIP 4.2.0 < 4.2.13
SPIP 4.1.0 < 4.1.16
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐ฐ
First article discovered by Cyble
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved