PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7981 Spip CVE debrief

CVE-2016-7981 is a cross-site scripting (XSS) issue in SPIP's valider_xml.php. NVD describes the flaw as allowing a remote attacker to inject arbitrary web script or HTML through the var_url parameter in a valider_xml action. The affected range listed by NVD is SPIP versions up to and including 3.1.2. Because the CVSS vector includes user interaction and changed scope, the main concern is browser-side script execution in a victim context rather than direct server compromise.

Vendor
Spip
Product
CVE-2016-7981
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

SPIP administrators, site operators, and maintainers running SPIP 3.1.2 or earlier should care most. Internet-facing deployments are the highest priority because the issue is network-reachable and requires only user interaction to trigger.

Technical summary

NVD classifies the weakness as CWE-79 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable component is valider_xml.php, with injection reaching the var_url parameter in a valider_xml action. NVD's CPE data lists SPIP versions through 3.1.2 as affected. The impact is limited confidentiality and integrity impact in the victim's browser context, with no availability impact stated in the vector.

Defensive priority

Medium priority overall, but higher for exposed SPIP installations. The vulnerability is public, remotely reachable, and can affect user-facing browser sessions through injected content.

Recommended defensive actions

  • Upgrade SPIP beyond version 3.1.2 or apply the vendor fixes referenced in the SPIP repository revisions 23200, 23201, and 23202.
  • Review any deployment paths that expose the valider_xml action and restrict access where possible.
  • Validate that pages and parameters handling user-supplied URLs are properly encoded or sanitized in affected workflows.
  • Check administrative and templating areas for signs of unexpected script or HTML injection.
  • Use the official CVE and NVD records to confirm whether your deployed SPIP version falls within the affected range.

Evidence notes

This debrief is based on the NVD CVE record and the linked vendor and advisory references only. The record states that the issue is an XSS vulnerability in valider_xml.php, that var_url is the injection point in a valider_xml action, and that SPIP 3.1.2 and earlier are affected. NVD also lists CWE-79 and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Reference links include Openwall mailing-list posts from October 2016, a SecurityFocus entry, and SPIP repository revisions marked as patches/vendor advisories.

Official resources

CVE-2016-7981 was published in the CVE/NVD record on 2017-01-18. The linked advisory and patch references include October 2016 discussion and vendor revision activity, indicating the issue was being addressed before CVE publication.