CVE-2024-8517

CRITICAL NUCLEI

SPIP <4.3.2-4.1.18 - Command Injection

Title source: llm

Description

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

Exploits (3)

nomisec WORKING POC 16 stars

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2024-8517

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by saadhassan77 · poc

https://github.com/saadhassan77/SPIP-BigUp-Unauthenticated-RCE-Exploit-CVE-2024-8517

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Vozec, Laluka, Julien Voisin, Valentin Lobstein · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spip_bigup_unauth_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

SPIP BigUp Plugin - Remote Code Execution

CRITICALVERIFIEDby DhiyaneshDk

Shodan: http.favicon.hash:-1224668706

FOFA: X-Spip-Cache

References (4)

[Vendor Advisory] https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html

[Exploit, Third Party Advisory] https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/

[Exploit, Third Party Advisory] https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/

[Third Party Advisory] https://vulncheck.com/advisories/spip-upload-rce

Scores

CVSS v3 9.8

EPSS 0.9323

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78 CWE-73

Status published

Affected Products (3)

spip/spip < 4.1.18

spip/spip

Timeline

Published Sep 06, 2024

Tracked Since Feb 18, 2026