CVE-2016-9997

Published: Dec 17, 2016Modified: May 6, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.

Affected (9)

Products: Spip: Spip

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Spip Spip	Version 3.1.0
Spip Spip	Version 3.1.0 alpha
Spip Spip	Version 3.1.0 beta
Spip Spip	Version 3.1.0 rc2
Spip Spip	Version 3.1.0 rc3
Spip Spip	Version 3.1.0 rc
Spip Spip	Version 3.1.1
Spip Spip	Version 3.1.2
Spip Spip	Version 3.1.3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

http://www.securityfocus.com/bid/95008

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037486

Source: cve@mitre.org

https://core.spip.net/projects/spip/repository/revisions/23288

Source: cve@mitre.org

Issue TrackingPatchVendor Advisory

http://www.securityfocus.com/bid/95008

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037486

Source: af854a3a-2127-422b-91ae-364da2661108

https://core.spip.net/projects/spip/repository/revisions/23288

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.