CVE-2016-7999

Name of the Vulnerable Software and Affected Versions SPIP versions 3.1.2 and earlier

Description The issue allows remote attackers to conduct server-side request forgery (SSRF) attacks. This is achieved by providing a URL in the var url parameter within a valider xml action, targeting the ecrire/exec/valider xml.php file.

Recommendations For SPIP versions 3.1.2 and earlier, consider restricting access to the ecrire/exec/valider xml.php file or the valider xml action to minimize the risk of exploitation. Avoid using the var url parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.