CVE-2024-8517
published 2024-09-06CVE-2024-8517: SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.62%
99.8th percentile
SPIP before 4.3.2, 4.2.16, and
4.1.18 is vulnerable to a command injection issue. A
remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spip | < spip 4.3.2+dfsg-1 (forky) | spip 4.3.2+dfsg-1 (forky) |
| spip | spip | — | — |
| spip | spip | — | — |
| spip | spip | >= 0 < 4.3.2+dfsg-1 | 4.3.2+dfsg-1 |
| spip | spip | >= 0 < 4.3.2+dfsg-1 | 4.3.2+dfsg-1 |
| spip | spip | >= 0 < 3.1.4-4~deb9u5ubuntu0.1~esm2 | 3.1.4-4~deb9u5ubuntu0.1~esm2 |
| spip | spip | >= 0 < 3.2.7-1ubuntu0.1+esm2 | 3.2.7-1ubuntu0.1+esm2 |
| spip | spip | >= 4.0.0 < 4.1.18 | 4.1.18 |
| spip | spip | 4.1.0 – 4.1.18 | — |
| spip | spip | 4.2.0 – 4.2.15 | — |
| spip | spip | 4.3.0 – 4.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching POST requests to SPIP password-reset endpoint containing the 'bigup_retrouver_fichiers' parameter in multipart form data — its mere presence triggers the vulnerable code path in the BigUp plugin. ↗
- →Alert on multipart form-data POST requests to /spip.php (including URL-encoded variants such as /spip.ph%70) where a form-data field name contains PHP function calls such as system(), die(), or shell_exec() — this is the PHP code injection vector via the filename/field-name parameter. ↗
- →Detect successful exploitation by monitoring HTTP response bodies for the pattern uid=[0-9]+.*gid=[0-9]+.* which indicates OS command output (id) returned in the response. ↗
- →URL-encoded path obfuscation (/spip.ph%70, pag%65=) is used to evade simple string-match WAF rules; ensure detection logic decodes percent-encoded characters before matching. ↗
- →The exploit is unauthenticated and targets the public-facing SPIP password-reset form (page=spip_pass); no session or credentials are required, so any such POST with bigup_retrouver_fichiers from an unauthenticated source is suspicious. ↗
- ·Affected versions span SPIP 4.0 through 4.3.1 / 4.2.15 / 4.1.17; the vulnerability is patched in 4.3.2, 4.2.16, and 4.1.18 — detections should be scoped to unpatched instances. ↗
- ·The injection point is specifically the improper handling of multipart form-data field names (not file content), so content-inspection rules must parse multipart Content-Disposition headers, not just file payloads. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_ubuntu6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
spip vulnerabilities
osv·2025-03-04·CVSS 6.1
CVE-2022-23638 [MEDIUM] spip vulnerabilities
spip vulnerabilities
It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to p
GHSA
GHSA-7w4r-xxr6-xrcj: SPIP before 4
ghsa_unreviewed·2024-09-06
CVE-2024-8517 [CRITICAL] CWE-646 GHSA-7w4r-xxr6-xrcj: SPIP before 4
SPIP before 4.3.2, 4.2.16, and
4.1.18 is vulnerable to a command injection issue. A
remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
OSV
CVE-2024-8517: SPIP before 4
osv·2024-09-06·CVSS 9.8
CVE-2024-8517 [CRITICAL] CVE-2024-8517: SPIP before 4
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Ubuntu
SPIP vulnerabilities
vendor_ubuntu·2025-03-04·CVSS 6.2
CVE-2022-28959 [MEDIUM] SPIP vulnerabilities
Title: SPIP vulnerabilities
Summary: Several security issues were fixed in spip.
It was discovered that svg-sanitizer, vendored in SPIP, did not properly
sanitize SVG/XML content. An attacker could possibly use this issue to
perform cross site scripting. This issue only affected Ubuntu 24.10.
(CVE-2022-23638)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform cross site
scripting. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28959)
It was discovered that SPIP did not properly sanitize certain inputs. A
remote attacker could possibly use this issue to perform PHP injection
attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2022-28960)
It was discovered that SPIP did not properly sanitize certain
Debian
CVE-2024-8517: spip - SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issu...
vendor_debian·2024·CVSS 9.8
CVE-2024-8517 [CRITICAL] CVE-2024-8517: spip - SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issu...
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Scope: local
bullseye: resolved
forky: resolved (fixed in 4.3.2+dfsg-1)
sid: resolved (fixed in 4.3.2+dfsg-1)
trixie: resolved (fixed in 4.3.2+dfsg-1)
No detection rules found.
Metasploit
SPIP BigUp Plugin Unauthenticated RCE
metasploit
SPIP BigUp Plugin Unauthenticated RCE
SPIP BigUp Plugin Unauthenticated RCE
This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. This critical vulnerability affects all versions of SPIP from 4.0 up to and including 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code remotely via the public interface. The vulnerability has been patched in versions 4.3.2, 4.2.16, and 4.1.18.
Nuclei
SPIP BigUp Plugin - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-8517 [CRITICAL] SPIP BigUp Plugin - Remote Code Execution
SPIP BigUp Plugin - Remote Code Execution
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
Template:
id: CVE-2024-8517
info:
name: SPIP BigUp Plugin - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
impact: |
Unauthenticated attackers can execute arbitrary operating system commands through crafted multipart file upload requests, achieving complete server compromise
2024-09-06
Published