CVE-2024-7954

Summary

CVE-2024-7954 identifies a critical arbitrary code execution vulnerability in the porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16. This flaw allows remote, unauthenticated attackers to execute arbitrary PHP code as the SPIP user through specially crafted HTTP requests, which poses significant risks including high confidentiality and integrity impacts. Affected products include various versions of SPIP and associated plugins such as qR_OV2, qR_OV3, x-PIl5 through x-PIl9, among others. To remediate this vulnerability, users are advised to update their SPIP installations to the latest available version that addresses this issue. The vulnerability has a CVSS score of 9.8, indicating it is highly exploitable with low complexity and no user interaction required for successful exploitation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.