CVE-2016-7149 B2evolution CVE debrief

Who should care

Teams running b2evolution sites at version 6.7.5 or earlier, especially CMS/blog administrators, hosting providers, and security teams responsible for web content integrity and session protection.

Technical summary

NVD classifies the issue as CWE-79 with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable scope in the NVD CPE entry covers b2evolution versions through 6.7.5. The supplied references include mailing list advisories and a GitHub patch commit, indicating the issue was addressed upstream.

Defensive priority

Medium. The severity score is moderate, but XSS in a content management platform can expose sessions, alter page content, and undermine trust in rendered output. Prioritize if the product is internet-facing or used by privileged editors.

Recommended defensive actions

• Upgrade b2evolution to a version newer than 6.7.5 or apply the vendor fix referenced by the upstream patch commit.
• Review any user-supplied content paths that feed the autolink function and verify output encoding/sanitization is enforced before rendering.
• Check templates, theme overrides, and plugins for custom rendering logic that may reintroduce unsafe HTML output.
• Audit administrator and editor accounts for suspicious activity if the vulnerable version was exposed publicly.
• Use browser-side protections such as a restrictive Content Security Policy where feasible to reduce XSS impact.

Evidence notes

This debrief is based on the supplied NVD record, which identifies the vulnerability as CVE-2016-7149 in b2evolution through 6.7.5, with CWE-79 and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Supporting references include Openwall mailing list posts from 2016-09-12 and 2016-09-15, SecurityFocus BID 92967, and the upstream GitHub patch commit 9a4ab85439d1b838ee7b8eeebbf59174bb787811.

Official resources