PatchSiren cyber security CVE debrief

CVE-2016-7150 B2evolution CVE debrief

CVE-2016-7150 is an authenticated cross-site scripting (XSS) issue in b2evolution affecting versions 6.7.5 and earlier. An attacker with valid user access can inject arbitrary web script or HTML through the site name field, which can lead to script execution in other users’ browsers when the affected content is rendered. The CVE was published on 2017-01-18, while linked public references show disclosure and patch discussion in September 2016.

Vendor: B2evolution
Product: CVE-2016-7150
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-18
Original CVE updated: 2026-05-13
Advisory published: 2017-01-18
Advisory updated: 2026-05-13

Who should care

b2evolution administrators, maintainers, and security teams responsible for sites where authenticated users can edit or influence the site name or similar display fields should prioritize this issue. It is especially relevant in multi-user deployments where lower-privileged accounts can reach settings that are later rendered to others.

Technical summary

NVD classifies the flaw as CWE-79 (cross-site scripting) with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerable product range is b2evolution up to and including 6.7.5. The issue is triggered by an authenticated remote user supplying malicious script or HTML through the site name value, which can then affect browser-side rendering.

Defensive priority

Medium. The vulnerability requires authentication and user interaction, but it can still affect confidentiality and integrity in the browser context, so it should be remediated promptly in any exposed or multi-user b2evolution deployment.

Recommended defensive actions

Upgrade b2evolution to a version newer than 6.7.5 that includes the fix referenced in the project commit history.
Review any settings or admin fields that accept user-controlled display text, especially the site name, and ensure they are output-encoded before rendering.
Audit for unexpected script or HTML content in stored site metadata and remove suspicious entries.
Limit which roles can modify site-wide display settings to reduce the number of accounts that can reach the vulnerable input.
Verify that browser-side content security controls and output encoding are consistently applied across templates and admin views.

Evidence notes

Source data identifies the affected range as b2evolution versions up to 6.7.5 and the weakness as CWE-79. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Public references include September 2016 mailing list posts and a GitHub commit marked as a patch reference, supporting that the issue was disclosed and addressed before the CVE record publication date.

Official resources

CVE-2016-7150 CVE record
CVE.org
CVE-2016-7150 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Public references indicate disclosure and patch discussion in September 2016 via oss-security and a GitHub commit, while the CVE record itself was published on 2017-01-18.