PatchSiren cyber security CVE debrief
CVE-2014-9916 Bilboplanet CVE debrief
CVE-2014-9916 covers multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0. According to the CVE description, remote attackers can inject arbitrary web script or HTML through the tribe_name and tags parameters in tribes page requests to user/, as well as the user_id and fullname parameters in signup.php. NVD lists the weakness as CWE-79 and assigns a CVSS v3.1 score of 6.1 (medium).
- Vendor
- Bilboplanet
- Product
- CVE-2014-9916
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-24
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-24
- Advisory updated
- 2026-05-13
Who should care
Administrators, developers, and security teams responsible for Bilboplanet 2.0 deployments should care most, especially if the application is internet-facing or processes untrusted user input on the affected pages.
Technical summary
The affected Bilboplanet 2.0 paths expose multiple input parameters that can be used to inject script or HTML content, consistent with CWE-79 cross-site scripting. The vulnerable inputs named in the CVE are tribe_name and tags on a tribes page request to user/, plus user_id and fullname in signup.php. NVD’s CVSS vector indicates network exploitation with user interaction required and no privileges needed.
Defensive priority
Medium. This is a web application input-validation and output-encoding issue that can expose users to script execution, session theft, phishing, or content manipulation. Prioritize remediation if the affected application is still deployed or reachable by untrusted users.
Recommended defensive actions
- Review and sanitize all user-controlled parameters on the affected pages, especially tribe_name, tags, user_id, and fullname.
- Use context-aware output encoding for HTML, attribute, and script contexts rather than relying on simple filtering.
- Add or tighten server-side input validation and reject unexpected markup-bearing input where appropriate.
- Apply a restrictive Content Security Policy to reduce the impact of any injected script.
- Inventory Bilboplanet 2.0 deployments and remove, isolate, or replace the affected version if no corrective update is available.
- Re-test the affected request paths after remediation to confirm that script and HTML injection are blocked.
Evidence notes
All substantive claims in this debrief come from the supplied CVE description and NVD metadata: Bilboplanet 2.0 is the affected product; the named vectors are tribe_name, tags, user_id, and fullname; the weakness is CWE-79; and NVD assigns CVSS v3.1 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The Exploit-DB reference is included by NVD as a third-party reference, but no exploit details are used here.
Official resources
-
CVE-2014-9916 CVE record
CVE.org
-
CVE-2014-9916 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
CVE published 2017-02-24 and last modified 2026-05-13 in the supplied record. No KEV listing was provided.