Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNicolas ChatelainPACKETSTORM:139234
HistoryOct 19, 2016 - 12:00 a.m.

SPIP 3.1.2 Cross Site Scripting

2016-10-1900:00:00
Nicolas Chatelain
packetstormsecurity.com
22

0.003 Low

EPSS

Percentile

65.8%

JSON
`## SPIP 3.1.2 Reflected Cross-Site Scripting (CVE-2016-7981)  
  
### Product Description  
  
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.  
  
### Vulnerability Description  
  
The `var_url` parameter of the `valider_xml` file is not correctly sanitized and can be used to trigger a reflected XSS vulnerability.  
  
**Access Vector**: remote  
  
**Security Risk**: medium  
  
**Vulnerability**: CWE-79  
  
**CVSS Base Score**: 6.8 (Medium)  
  
**CVE-ID**: CVE-2016-7981  
  
### Proof of Concept  
  
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=%22%3E%3Ch1%3EXSS!%3C/h1%3E  
  
### Vulnerable code  
  
The `$url variable` is not properly sanitized in `valider_xml.php`, line 134 :  
  
$res =  
"<div style='text-align: center'>" . $err . "</div>" .  
"<div style='margin: 10px; text-align: left'>" . $texte . '</div>';  
$bandeau = "<a href='$url_aff'>$url</a>";  
  
The Cross-Site Scripting vulnerability is triggered on line 146 :  
  
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',  
  
  
### Timeline (dd/mm/yyyy)  
  
* 15/09/2016 : Initial discovery  
* 26/09/2016 : Contact with SPIP Team  
* 27/09/2016 : Answer from SPIP Team, sent advisory details  
* 27/09/2016 : Incorrect fix from SPIP Team.  
* 27/09/2016 : New proof of concept for bypassing fixes for XSS sent.  
* 27/09/2016 : Fixes issued for XSS (23185).  
* 30/09/2016 : SPIP 3.1.3 Released  
  
### Fixes  
  
* https://core.spip.net/projects/spip/repository/revisions/23200  
* https://core.spip.net/projects/spip/repository/revisions/23201  
* https://core.spip.net/projects/spip/repository/revisions/23202  
  
  
### Affected versions  
  
* Version <= 3.1.2  
  
### Credits  
  
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)  
  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
  
  
`

Related

cvelist 1
nvd 1
cve 1
zdt 1
nuclei 1
prion 1
osv 2
ubuntucve 1
debiancve 1
debian 1
openvas 2
nessus 1
cvelist
cvelist
CVE-2016-7981
2017-01-18 17:00:00
nvd
nvd
CVE-2016-7981
2017-01-18 17:59:00
cve
cve
CVE-2016-7981
2017-01-18 17:59:00
zdt
zdt
SPIP 3.1.2 Cross Site Scripting Vulnerability
2016-10-20 00:00:00
nuclei
nuclei
SPIP <3.1.2 - Cross-Site Scripting
2021-07-27 10:27:42
prion
prion
Cross site scripting
2017-01-18 17:59:00
osv
osv
CVE-2016-7981
2017-01-18 17:59:00
spip - security update
2016-11-02 00:00:00
ubuntucve
ubuntucve
CVE-2016-7981
2017-01-18 00:00:00
debiancve
debiancve
CVE-2016-7981
2017-01-18 17:59:00
debian
debian
[SECURITY] [DLA 695-1] spip security update
2016-11-02 22:00:02
openvas
openvas
Debian: Security Advisory (DLA-695-1)
2023-03-08 00:00:00
SPIP < 3.1.3 Multiple Vulnerabilities
2016-11-08 00:00:00
nessus
nessus
Debian DLA-695-1 : spip security update
2016-11-03 00:00:00

0.003 Low

EPSS

Percentile

65.8%

JSON
Related for PACKETSTORM:139234
cvelist1nvd1cve1zdt1nuclei1prion1osv2ubuntucve1debiancve1debian1openvas2nessus1