PatchSiren cyber security CVE debrief
CVE-2016-10215 Fastspot CVE debrief
CVE-2016-10215 is a cross-site scripting issue in Fastspot BigTree's bigtree-form-builder component before version 1.2. The flaw stems from insufficient filtration of user-supplied data in multiple HTTP POST parameters sent to a form-builder AJAX endpoint. If successfully triggered, an attacker could execute arbitrary HTML and script code in the context of the vulnerable website. NVD assigns this issue a medium severity score (CVSS 6.1) and maps it to CWE-79.
- Vendor
- Fastspot
- Product
- CVE-2016-10215
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-10
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-10
- Advisory updated
- 2026-05-13
Who should care
Organizations running Fastspot BigTree sites with the bigtree-form-builder component, especially developers, site administrators, and security teams responsible for public-facing web forms and admin workflows.
Technical summary
The NVD record describes a web cross-site scripting weakness in bigtree-form-builder affecting versions before 1.2. The vulnerable behavior occurs when user-controlled POST data is not sufficiently filtered before being processed by the ajax/redraw-field.php path. NVD classifies the weakness as CWE-79 and rates it CVSS 3.0 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating network reachability, no privileges required, and a user-interaction dependency.
Defensive priority
Medium. The issue can expose users to script injection in the trusted site origin, which may affect sessions, page content, or user trust. Priority should be higher if the form builder is publicly reachable or used in sensitive workflows.
Recommended defensive actions
- Upgrade bigtree-form-builder to version 1.2 or later.
- Confirm whether any deployed BigTree instances use affected versions at or below 1.1.
- Review the exposed form-builder endpoint and any pages or workflows that process untrusted POST input.
- Validate that server-side output encoding and input filtering are applied consistently in custom integrations.
- Use the vendor-linked repository commit and release notes as the primary remediation reference for the fixed build.
Evidence notes
The supplied NVD data states that bigtree-form-builder versions through 1.1 are vulnerable and cites CWE-79 with CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The description explicitly mentions insufficient filtration of user-supplied data in multiple HTTP POST parameters to the ajax/redraw-field.php path, and that arbitrary HTML/script code could execute in the browser context of the vulnerable website. The reference list includes a Fastspot GitHub commit associated with release notes and a third-party advisory.
Official resources
-
CVE-2016-10215 CVE record
CVE.org
-
CVE-2016-10215 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Third Party Advisory
CVE-2016-10215 was published on 2017-02-10 and the official NVD record was last modified on 2026-05-13. The supplied record does not indicate KEV inclusion or ransomware campaign use.