CVE-2016-9998

Name of the Vulnerable Software and Affected Versions SPIP versions 3.1.x

Description The issue concerns a Reflected Cross Site Scripting problem. It involves the /ecrire/exec/info plugin.php endpoint, specifically the $plugin parameter. An example of exploitation is through a /ecrire/?exec=info plugin URL.

Recommendations For SPIP version 3.1.x, as a temporary workaround, consider restricting access to the /ecrire/exec/info plugin.php endpoint until a patch is available. Avoid using the $plugin parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.