Arbitrary Code Execution Vulnerability in SPIP'sporte_plume Plugin

CVE-2024-7954

9.8CRITICAL

Key Information

Vendor: Spip
Status: Spip
Vendor: CVE Published:; 23 August 2024

Badges

👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

An arbitrary code execution vulnerability, CVE-2024-7954, was identified in the SPIP's porte_plume plugin, allowing remote unauthenticated attackers to execute arbitrary PHP code by sending a specially crafted HTTP request. The Cyble Sensor Intelligence report also highlighted other active vulnerabilities, phishing scams, and brute-force attacks, with recommendations for security teams to upgrade affected software, monitor and block attack attempts, and strengthen password policies. No known exploitation by ransomware groups was mentioned.

Affected Version(s)

SPIP < 4.3.0-alpha2

SPIP < 4.2.13

SPIP < 4.1.16

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-7954
Created by bigb0x

CVE-2024-7954
Created by issamiso

News Articles

Cyble

CVE-2024-7954CVE-2024-7120

Cyble Sensor Intelligence: Attacks, Phishing Scams And Brute-Force Detections - Cyble

Cyble’s weekly sensor intelligence report identified active vulnerability exploits, phishing campaigns and brute-force attacks.

2 months ago

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

First article discovered by Cyble
Sep 20, 2024
👾
Exploit exists.
Aug 29, 2024
Vulnerability published.
Aug 23, 2024
Vulnerability Reserved.
Aug 19, 2024

Collectors

NVD DatabaseMitre Database2 Proof of Concept(s)1 News Article(s)

Credit

Louka Jacques-Chevallier