Homepage

Cross-site Request Forgery (CSRF) Affecting spip package, versions <3.1.3-1

Severity

 Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
2.19% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN13-SPIP-5695970
  • published18 Jan 2017
  • disclosed18 Jan 2017
Report a new vulnerability Found a mistake?

Introduced: 18 Jan 2017

CVE-2016-7980  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade Debian:13 spip to version 3.1.3-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream spip package and not the spip package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request. NOTE: this issue can be combined with CVE-2016-7998 to execute arbitrary PHP code.