CVE-2016-7999 Spip CVE debrief

Who should care

SPIP operators and administrators, especially for internet-facing or internally connected deployments running version 3.1.2 or earlier.

Technical summary

The affected code path is ecrire/exec/valider_xml.php. The vulnerability is exposed through the var_url parameter in the valider_xml action and allows SSRF. Per NVD, the attack is network-reachable, requires no privileges, does require user interaction, and is associated with high integrity impact and scope change. The supplied metadata limits the technical detail to the URL parameter and the documented version range up to 3.1.2.

Defensive priority

High

Recommended defensive actions

• Upgrade SPIP to a version newer than 3.1.2 on every affected instance.
• Restrict access to the administrative valider_xml endpoint and related SPIP admin paths from untrusted networks where possible.
• Apply egress filtering and network allowlisting so the server cannot reach sensitive internal or metadata addresses through arbitrary outbound requests.
• Review web and application logs for unusual requests to valider_xml.php and unexpected var_url values during the affected period.
• Use the vendor patch references listed in the CVE record as part of remediation validation.

Evidence notes

This debrief is based only on the supplied CVE/NVD metadata and the linked references listed there. The key supported facts are: affected versions are SPIP 3.1.2 and earlier, the issue is SSRF in ecrire/exec/valider_xml.php via var_url, NVD assigns CWE-918, and the CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N. The reference list includes OSS-security mailing-list posts, SPIP revision links marked as patch/vendor advisory, a SecurityFocus advisory entry, and a third-party Sysdream article. The CVE publication date used for chronology is 2017-01-18; the later modified date is record maintenance and not the original issue date.

Official resources