CVE-2024-7954

2024-08-2318:15:07

CWE-284

VulnCheck

web.nvd.nist.gov

spip

porte_plume

arbitrary code execution

vulnerability

http request

remote attacker

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

52.9%

JSON

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SPIP",
    "vendor": "SPIP",
    "versions": [
      {
        "lessThan": "4.3.0-alpha2",
        "status": "affected",
        "version": "4.3.0-alpha",
        "versionType": "custom"
      },
      {
        "lessThan": "4.2.13",
        "status": "affected",
        "version": "4.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.1.16",
        "status": "affected",
        "version": "4.1.0",
        "versionType": "semver"
      }
    ]
  }
]