PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7980 Spip CVE debrief

CVE-2016-7980 is a high-severity CSRF issue in SPIP's XML validation handler. In SPIP 3.1.2 and earlier, a crafted valider_xml request can trick an administrator into triggering the XML validator on a local file, hijacking the administrator's authenticated session. NVD assigns CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The advisory also notes this issue can be combined with CVE-2016-7998 to reach arbitrary PHP code execution.

Vendor
Spip
Product
CVE-2016-7980
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

SPIP site owners and administrators, web application security teams, and managed hosting providers running SPIP 3.1.2 or earlier. Prioritize systems where administrators can be induced to visit untrusted content while logged in.

Technical summary

NVD identifies a CSRF weakness (CWE-352) in ecrire/exec/valider_xml.php. The vulnerable CPE covers SPIP versions up to and including 3.1.2. The attack is network-reachable and requires user interaction from an authenticated administrator; the crafted request can cause the XML validator to run on a local file. Related vendor patch references are listed in SPIP repository revisions 23201, 23202, and 23203.

Defensive priority

Urgent for any exposed SPIP installation at or below 3.1.2. The flaw requires admin interaction, but it has no attacker privileges and can have severe impact if chained with the related issue noted in the advisory.

Recommended defensive actions

  • Inventory all SPIP deployments and confirm whether any instance is running version 3.1.2 or earlier.
  • Apply the SPIP fixes referenced by the vendor advisory links and move to a version later than 3.1.2.
  • Restrict administrative access as much as possible and reduce exposure of the admin interface to the public internet.
  • Review logs for suspicious requests to ecrire/exec/valider_xml.php or unexpected valider_xml activity.
  • If CVE-2016-7998 is also present, treat the environment as higher risk and prioritize full remediation immediately.

Evidence notes

The supplied NVD record lists SPIP as the affected product family, version_end_including 3.1.2, CWE-352, and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The description states the flaw is a CSRF in ecrire/exec/valider_xml.php and notes potential chaining with CVE-2016-7998. Reference links include oss-security posts from 2016-10-05, 2016-10-06, and 2016-10-12, plus SPIP repository revisions 23201, 23202, and 23203. CVE publication date used here is 2017-01-18 from the supplied record.

Official resources

Publicly disclosed in 2016 advisory threads and published in the supplied NVD record on 2017-01-18. This debrief relies only on the provided NVD metadata and linked references.