CVE-2024-7954

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-7954

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7954.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-7954

Downstream

DEBIAN-CVE-2024-7954

UBUNTU-CVE-2024-7954

Published

2024-08-23T18:15:07Z

Modified

2025-09-23T16:15:30Z

Summary

[none]

Details

The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

References

https://vulncheck.com/advisories/spip-porte-plume
https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/

CVE-2024-7954

Affected packages