VDB
CVE-2024-8517
CVE-2024-8517
PUBLISHED
CVSS 9.800000190734863 CRITICAL
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
EPSS 93.37% · 99.8th percentile
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.37%
99.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SPIP | SPIP | 4.2.0, 4.3.0, 4.1.0 |
| spip | spip | 4.3.0, 4.3.1, 4.3.0 |
| spip | spip | 0, 4.3.0, 4.2.0 |
Exploit Intelligence
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc-repo)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc)
- This Python exploit targets a critical unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of SPIP CMS (≤ 4.3.1, 4.2.15, 4.1.17). It abuses the bigup_retrouver_fichiers parameter, allowing attackers to execute arbitrary PHP via upload progress features, without authentication. (github-poc)
…and 37 more exploits
Timeline
- Sep 6, 2024 CVE Published
- Sep 7, 2024 EPSS Score
- Sep 11, 2024 PoC Published
- Sep 14, 2024 PoC Published
- Sep 27, 2024 EPSS Score
- Oct 5, 2024 Coalition ESS Score
- Nov 6, 2024 EPSS Score
- Dec 14, 2024 EPSS Score
- Dec 17, 2024 EPSS Score
- Jan 6, 2025 EPSS Score
- Jan 24, 2025 EPSS Score
- Jan 24, 2025 Coalition ESS Score
References
- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/ exploit
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html vendor-advisory
- https://vulncheck.com/advisories/spip-upload-rce third-party-advisory
- https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/ exploit
- https://nvd.nist.gov/vuln/detail/CVE-2024-8517 advisory
- https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload url
- https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload url