PT-2024-39069 · Spip+2 · Spip+2

Arthur Deloffre

Published

2024-09-06

Updated

2025-11-24

CVE-2024-8517

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.3.2, 4.2.16, and 4.1.18

Description SPIP is susceptible to a command injection issue. An unauthenticated, remote attacker can execute arbitrary operating system commands by submitting a specially crafted multipart file upload HTTP request. A proof of concept has been published, increasing the risk of exploitation. Approximately 200+ potentially affected devices have been identified via ZoomEye dorking.

Recommendations SPIP versions prior to 4.3.2 must be updated. SPIP versions prior to 4.2.16 must be updated. SPIP versions prior to 4.1.18 must be updated.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-646CWE-78

Related Identifiers

CVE-2024-8517

USN-7318-1

Affected Products

Linuxmint

Spip

Ubuntu

PT-2024-39069 · Spip+2 · Spip+2

CVE-2024-8517

Weakness Enumeration

Related Identifiers

Affected Products

References · 42