CVE-2024-7954
published 2024-08-23CVE-2024-7954: The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.78%
99.8th percentile
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spip | < spip 4.3.0+dfsg-1 (forky) | spip 4.3.0+dfsg-1 (forky) |
| spip | spip | >= 0 < 4.3.0+dfsg-1 | 4.3.0+dfsg-1 |
| spip | spip | >= 0 < 4.3.0+dfsg-1 | 4.3.0+dfsg-1 |
| spip | spip | >= 4.1.0 < 4.1.16 | 4.1.16 |
| spip | spip | >= 4.2.0 < 4.2.13 | 4.2.13 |
| spip | spip | >= 4.3.0-alpha < 4.3.0-alpha2 | 4.3.0-alpha2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated POST requests to /index.php?action=porte_plume_previsu — this is the vulnerable endpoint exploited for RCE. ↗
- →The exploit payload manipulates SPIP's templating system via the `data` POST parameter using crafted bracket/backtick syntax (e.g., [->URL``]) to trigger eval() inside traitements_previsu_php_modeles_eval(). ↗
- →Successful exploitation of /etc/passwd read-back can be confirmed by matching 'root:.*:0:0:' in the HTTP response body. ↗
- →SPIP installations can be fingerprinted via the 'Composed-By: SPIP' response header; use this to scope detection to SPIP hosts. ↗
- →The Content-Type for the exploit request is application/x-www-form-urlencoded; monitor for POST requests to the porte_plume_previsu action with this content type from unauthenticated sessions. ↗
- ·The vulnerability affects SPIP versions up to and including 4.2.12; versions 4.3.0-alpha2, 4.2.13, and 4.1.16 are patched. Ensure version checks in detection rules account for this range. ↗
- ·The attack is fully unauthenticated and remote — no session or credentials are required, meaning perimeter controls alone are insufficient; WAF rules must inspect POST body content for SPIP template injection syntax. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-42mv-3h37-wfh9: The porte_plume plugin used by SPIP before 4
ghsa_unreviewed·2024-08-23
CVE-2024-7954 [CRITICAL] CWE-284 GHSA-42mv-3h37-wfh9: The porte_plume plugin used by SPIP before 4
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
OSV
CVE-2024-7954: The porte_plume plugin used by SPIP before 4
osv·2024-08-23·CVSS 9.8
CVE-2024-7954 [CRITICAL] CVE-2024-7954: The porte_plume plugin used by SPIP before 4
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
VulnCheck
SPIP porte_plume Plugin Arbitrary PHP Execution Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-7954 [CRITICAL] SPIP porte_plume Plugin Arbitrary PHP Execution Vulnerability
SPIP porte_plume Plugin Arbitrary PHP Execution Vulnerability
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Affected: SPIP porte_plume plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-22&host_type=src&vulnerability=cve-2024-7954; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-26&host_type=src&vulnerability=cve-2024-7954; http
Debian
CVE-2024-7954: spip - The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vu...
vendor_debian·2024·CVSS 9.8
CVE-2024-7954 [CRITICAL] CVE-2024-7954: spip - The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vu...
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Scope: local
bullseye: resolved
forky: resolved (fixed in 4.3.0+dfsg-1)
sid: resolved (fixed in 4.3.0+dfsg-1)
trixie: resolved (fixed in 4.3.0+dfsg-1)
No detection rules found.
Metasploit
SPIP Unauthenticated RCE via porte_plume Plugin
metasploit
SPIP Unauthenticated RCE via porte_plume Plugin
SPIP Unauthenticated RCE via porte_plume Plugin
This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP's templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a payload manipulating the templating data processed by the `echappe_retour()` function, invoking `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.
Nuclei
SPIP Porte Plume Plugin - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-7954 [CRITICAL] SPIP Porte Plume Plugin - Remote Code Execution
SPIP Porte Plume Plugin - Remote Code Execution
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
Template:
id: CVE-2024-7954
info:
name: SPIP Porte Plume Plugin - Remote Code Execution
author: s4e-io
severity: critical
description: |
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
impact: |
Unauthenticated attackers can execute arbitrary PHP code as the SPIP user, achieving complete serve
2024-08-23
Published
Exploited in the wild