Fluid Attacks Database

Description

Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spip	>=0 <3.1.3-1	3.1.3-1
debian 13	spip	>=0 <3.1.3-1	3.1.3-1
debian 14	spip	>=0 <3.1.3-1	3.1.3-1

Aliases

1. CVE-2016-79802. NVD-2016-79803. OSV-DEBIAN-2016-79804. OSV-2016-79805. SECURITY-TRACKER-CVE-2016-7980

References

1. https://www.exploit-db.com/exploits/40597

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.