CVE-2024-7954
Published: 23 August 2024
Summary
CVE-2024-7954 is a critical-severity Eval Injection (CWE-95) vulnerability in Spip (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The porte_plume plugin in SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16 contains an arbitrary code execution vulnerability tracked as CVE-2024-7954. The flaw, assigned CVSS 9.8 and mapped to CWE-95 and CWE-1286, resides in the plugin's handling of crafted input that is later evaluated as PHP.
A remote unauthenticated attacker can exploit the issue by sending a single malicious HTTP request, resulting in arbitrary PHP execution under the privileges of the SPIP web server user and full compromise of confidentiality, integrity, and availability.
Official SPIP advisories direct administrators to upgrade immediately to 4.3.0-alpha2, 4.2.13, or 4.1.16; third-party analyses at thinkloveshare.com and vulncheck.com confirm the pre-authentication vector and the necessity of the patch. The associated EPSS score remains elevated near 0.93 with no documented low-to-high trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48791
Vulnerability details
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.