Cross-site request forgery (CSRF) vulnerability in
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote
attackers to hijack the authentication of administrators for requests that
execute the XML validator on a local file via a crafted valider_xml
request. NOTE: this issue can be combined with CVE-2016-7998 to execute
arbitrary PHP code.