CVE-2016-7999 — Vulnetix

CVE-2016-7999 PUBLISHED

ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

EPSS 0.75% · 73.5th percentile

Risk Scores

EPSS Score

0.75%

73.5th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	spip	0, 3.0.20-1, 3.0.21-1

Exploit Intelligence

93451 (circl)
https://core.spip.net/projects/spip/repository/revisions/23193 (circl)
https://core.spip.net/projects/spip/repository/revisions/23188 (circl)
[oss-security] 20161007 Re: SPIP vulnerabilities: request for 5 CVE (circl)
[oss-security] 20161008 Re: SPIP vulnerabilities: request for 5 CVE (circl)
[oss-security] 20161005 SPIP vulnerabilities: request for 5 CVE (circl)
[oss-security] 20161012 CVE-2016-7999: SPIP 3.1.2 Server Side Request Forgery (circl)
https://sysdream.com/news/lab/2016-10-19-spip-3-1-2-server-side-request-forgery-cve-2016-7999/ (circl)
SPIP 3.1.2 Server Side Request Forgery Vulnerability (0day-today)
SPIP 3.1.2 Server Side Request Forgery Vulnerability (0day-today)

Timeline

Oct 20, 2016 PoC Published
Jan 18, 2017 CVE Published
May 24, 2017 CVE Updated
Feb 4, 2022 EPSS Score
Mar 29, 2022 EPSS Score
May 20, 2022 EPSS Score
Jul 12, 2022 EPSS Score
Oct 26, 2022 EPSS Score
Dec 18, 2022 EPSS Score
Feb 8, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 2, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2016-7999 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2016-7999 third-party-advisory

Open in Interactive Console →