cbcvebase.
CVE-2024-7954
published 2024-08-23

CVE-2024-7954: The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.78%
99.8th percentile
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianspip< spip 4.3.0+dfsg-1 (forky)spip 4.3.0+dfsg-1 (forky)
spipspip>= 0 < 4.3.0+dfsg-14.3.0+dfsg-1
spipspip>= 0 < 4.3.0+dfsg-14.3.0+dfsg-1
spipspip>= 4.1.0 < 4.1.164.1.16
spipspip>= 4.2.0 < 4.2.134.2.13
spipspip>= 4.3.0-alpha < 4.3.0-alpha24.3.0-alpha2

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?action=porte_plume_previsu
commanddata=AA_[->URL``]_BB
  • Look for unauthenticated POST requests to /index.php?action=porte_plume_previsu — this is the vulnerable endpoint exploited for RCE.
  • The exploit payload manipulates SPIP's templating system via the `data` POST parameter using crafted bracket/backtick syntax (e.g., [->URL``]) to trigger eval() inside traitements_previsu_php_modeles_eval().
  • Successful exploitation of /etc/passwd read-back can be confirmed by matching 'root:.*:0:0:' in the HTTP response body.
  • SPIP installations can be fingerprinted via the 'Composed-By: SPIP' response header; use this to scope detection to SPIP hosts.
  • The Content-Type for the exploit request is application/x-www-form-urlencoded; monitor for POST requests to the porte_plume_previsu action with this content type from unauthenticated sessions.
  • ·The vulnerability affects SPIP versions up to and including 4.2.12; versions 4.3.0-alpha2, 4.2.13, and 4.1.16 are patched. Ensure version checks in detection rules account for this range.
  • ·The attack is fully unauthenticated and remote — no session or credentials are required, meaning perimeter controls alone are insufficient; WAF rules must inspect POST body content for SPIP template injection syntax.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.