CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
52.9%
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16
is vulnerable to an arbitrary code execution vulnerability. A remote and
unauthenticated attacker can execute arbitrary PHP as the SPIP user by
sending a crafted HTTP request.
blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
launchpad.net/bugs/cve/CVE-2024-7954
nvd.nist.gov/vuln/detail/CVE-2024-7954
security-tracker.debian.org/tracker/CVE-2024-7954
thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
vulncheck.com/advisories/spip-porte-plume
www.cve.org/CVERecord?id=CVE-2024-7954
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
52.9%