CVE-2024-8517

Summary

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

Affected Software

VendorProductVersion RangeStatus
SPIPSPIP4.3.0 <= 4.3.1affected
SPIPSPIP4.2.0 <= 4.2.15affected
SPIPSPIP4.1.0 <= 4.1.18affected

Weaknesses

  • CWE-73: CWE-73 External Control of File Name or Path
  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References