Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-7980Cross-Site Request Forgery in Spip

CWE-352Cross-Site Request Forgery5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.6%
top 31.89%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
SpipDebian Spip
Timeline
PublishedJan 18
Latest updateMay 17

Description

Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/spip< spip 3.1.3-1 (bullseye)
Debianspip/spip< 3.1.3-1+2
NVDspip/spip3.1.2

Patches

Patch: www.openwall.comPatch: core.spip.netPatch: core.spip.net

🔴Vulnerability Details

2
GHSA
GHSA-7w5f-5r8v-pff6: Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml2022-05-17
OSV
CVE-2016-7980: Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml2017-01-18

💥Exploits & PoCs

1
Exploit-DB
SPIP 3.1.2 - Cross-Site Request Forgery2016-10-20

📋Vendor Advisories

1
Debian
CVE-2016-7980: spip - Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php i...2016
CVE-2016-7980 — Cross-Site Request Forgery in Spip | cvebase