Server Side Request Forgery in SPIP by SPIP Team
CVE-2016-7999

7.4HIGH

Key Information:

Vendor
Spip
Status
Spip
Vendor
CVE Published:
18 January 2017

Summary

An issue in the 'valider_xml' action of SPIP 3.1.2 and earlier releases permits remote attackers to conduct server side request forgery (SSRF) attacks. This vulnerability arises when malicious URLs are passed through the 'var_url' parameter, enabling attackers to access internal resources or sensitive information on the server.

References

http://www.securityfocus.com/bid/93451
vdb-entryx_refsource_BID
https://core.spip.net/projects/spip/repository/revisions/...
x_refsource_CONFIRM
https://core.spip.net/projects/spip/repository/revisions/...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.