cbcvebase.
CVE-2024-8517
published 2024-09-06

CVE-2024-8517: SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
94.62%
99.8th percentile
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianspip< spip 4.3.2+dfsg-1 (forky)spip 4.3.2+dfsg-1 (forky)
spipspip
spipspip
spipspip>= 0 < 4.3.2+dfsg-14.3.2+dfsg-1
spipspip>= 0 < 4.3.2+dfsg-14.3.2+dfsg-1
spipspip>= 0 < 3.1.4-4~deb9u5ubuntu0.1~esm23.1.4-4~deb9u5ubuntu0.1~esm2
spipspip>= 0 < 3.2.7-1ubuntu0.1+esm23.2.7-1ubuntu0.1+esm2
spipspip>= 4.0.0 < 4.1.184.1.18
spipspip4.1.0 – 4.1.18
spipspip4.2.0 – 4.2.15
spipspip4.3.0 – 4.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/spip.ph%70?pag%65=spip_pass&lang=fr
url/spip.ph%70?pag%65=spip_pass&lang=fr
commandname="RCE['.system('id').die().']"
otherbigup_retrouver_fichiers=a
otherfofa: "X-Spip-Cache"
  • Detect exploitation attempts by matching POST requests to SPIP password-reset endpoint containing the 'bigup_retrouver_fichiers' parameter in multipart form data — its mere presence triggers the vulnerable code path in the BigUp plugin.
  • Alert on multipart form-data POST requests to /spip.php (including URL-encoded variants such as /spip.ph%70) where a form-data field name contains PHP function calls such as system(), die(), or shell_exec() — this is the PHP code injection vector via the filename/field-name parameter.
  • Detect successful exploitation by monitoring HTTP response bodies for the pattern uid=[0-9]+.*gid=[0-9]+.* which indicates OS command output (id) returned in the response.
  • URL-encoded path obfuscation (/spip.ph%70, pag%65=) is used to evade simple string-match WAF rules; ensure detection logic decodes percent-encoded characters before matching.
  • The exploit is unauthenticated and targets the public-facing SPIP password-reset form (page=spip_pass); no session or credentials are required, so any such POST with bigup_retrouver_fichiers from an unauthenticated source is suspicious.
  • ·Affected versions span SPIP 4.0 through 4.3.1 / 4.2.15 / 4.1.17; the vulnerability is patched in 4.3.2, 4.2.16, and 4.1.18 — detections should be scoped to unpatched instances.
  • ·The injection point is specifically the improper handling of multipart form-data field names (not file content), so content-inspection rules must parse multipart Content-Disposition headers, not just file payloads.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_ubuntu6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.