CVE-2016-7999 Information

Feb 14, 2021 cve

Description

ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Reference

http://www.openwall.com/lists/oss-security/2016/10/05/17 http://www.openwall.com/lists/oss-security/2016/10/07/5 http://www.openwall.com/lists/oss-security/2016/10/08/6 http://www.openwall.com/lists/oss-security/2016/10/12/10 http://www.securityfocus.com/bid/93451 https://core.spip.net/projects/spip/repository/revisions/23188 https://core.spip.net/projects/spip/repository/revisions/23193 https://sysdream.com/news/lab/2016-10-19-spip-3-1-2-server-side-request-forgery-cve-2016-7999/ ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.4

Share on: