CVE-2024-8517: Critical SPIP Flaw Leaves Websites Vulnerable to Remote Attacks, PoC Published
The popular open-source content management system (CMS), SPIP, is facing a critical security vulnerability that could allow unauthenticated attackers to execute malicious code on affected servers. The vulnerability, identified as CVE-2024-8517 with a CVSS score of 9.8 (critical), stems from a command injection flaw in the BigUp plugin.
The issue lies within the lister_fichiers_par_champs function of the BigUp plugin, which fails to properly sanitize user-supplied data during file uploads. When the bigup_retrouver_fichiers parameter is set to 1, attackers can craft malicious HTTP requests containing harmful PHP code. Once processed, this code can be executed on the server, granting attackers complete control over the system.
One of the most alarming aspects of CVE-2024-8517 is that no authentication or special privileges are required to exploit it. Any remote attacker can abuse the vulnerability simply by sending a maliciously crafted HTTP request to the SPIP server. Unlike many other CMS vulnerabilities that require administrative access or social engineering tactics, this flaw can be exploited by anyone without prior access to the system.
The vulnerability was first disclosed by security researcher Arthur, who provided an in-depth analysis of the underlying technical issues. Following this, another researcher, Chocapikk, published a proof-of-concept (PoC) exploit on GitHub, demonstrating how the vulnerability can be leveraged to execute arbitrary commands. The availability of a public PoC has heightened the urgency for organizations using SPIP to act swiftly.
SPIP is extensively used by a diverse range of organizations and individuals, including institutional sites, community portals, academic websites, associations, personal blogs, and news sites. The severity of this vulnerability, combined with its ease of exploitation (no authentication required), puts a large number of websites at risk.
SPIP users are strongly urged to update their installations to the latest versions (4.3.2, 4.2.16, or 4.1.18) to mitigate this risk.
