cpe:2.3:a:s9y:serendipity:0.6_pl3:*:*:*:*:*:*:*
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
Max CVSS
9.8
EPSS Score
2.22%
Published
2020-03-25
Updated
2020-03-27
Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
Max CVSS
6.1
EPSS Score
0.14%
Published
2019-05-09
Updated
2019-05-10
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-01-14
Updated
2017-01-25
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-01-14
Updated
2017-01-25
Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
Max CVSS
6.1
EPSS Score
0.11%
Published
2017-01-14
Updated
2017-01-25
include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
Max CVSS
9.8
EPSS Score
0.60%
Published
2016-12-30
Updated
2017-01-03
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.
Max CVSS
8.6
EPSS Score
0.20%
Published
2016-12-01
Updated
2016-12-03
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
Max CVSS
5.4
EPSS Score
0.10%
Published
2016-12-25
Updated
2016-12-30
Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php.
Max CVSS
5.4
EPSS Score
0.11%
Published
2016-01-12
Updated
2018-10-09
Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 theme in Serendipity before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via a user name in a comment, which is not properly handled in a Reply link.
Max CVSS
4.3
EPSS Score
0.23%
Published
2015-09-16
Updated
2015-09-16
Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .pht or (2) .phtml extension.
Max CVSS
6.5
EPSS Score
0.36%
Published
2015-09-16
Updated
2015-09-16
SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php.
Max CVSS
6.0
EPSS Score
0.27%
Published
2015-09-15
Updated
2016-12-22
Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entries.tpl in Serendipity before 2.0.1 allows remote authenticated editors to inject arbitrary web script or HTML via the serendipity[cat][name] parameter to serendipity_admin.php, when creating a new category.
Max CVSS
3.5
EPSS Score
0.14%
Published
2015-03-23
Updated
2018-10-09
Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter.
Max CVSS
4.3
EPSS Score
0.17%
Published
2013-11-05
Updated
2013-11-07
Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the serendipity[htmltarget] parameter.
Max CVSS
4.3
EPSS Score
0.24%
Published
2013-08-19
Updated
2013-08-20
SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php.
Max CVSS
7.5
EPSS Score
0.42%
Published
2012-06-07
Updated
2017-08-29
SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).
Max CVSS
7.5
EPSS Score
3.31%
Published
2012-08-13
Updated
2012-08-14
Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).
Max CVSS
4.3
EPSS Score
0.24%
Published
2012-08-13
Updated
2012-08-14
Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.
Max CVSS
6.1
EPSS Score
0.23%
Published
2019-11-26
Updated
2019-12-11
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php.
Max CVSS
6.1
EPSS Score
0.58%
Published
2019-11-05
Updated
2019-11-08
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.
Max CVSS
9.8
EPSS Score
1.34%
Published
2019-11-05
Updated
2019-11-08
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
Max CVSS
6.1
EPSS Score
0.58%
Published
2019-11-05
Updated
2019-11-08
Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
2.6
EPSS Score
0.16%
Published
2010-09-10
Updated
2010-09-10
Cross-site scripting (XSS) vulnerability in the Top Referrers (aka referrer) plugin in Serendipity (S9Y) before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.
Max CVSS
4.3
EPSS Score
0.57%
Published
2008-04-23
Updated
2018-10-11
Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3-beta1 allows remote authenticated users to inject arbitrary web script or HTML via (1) the "Real name" field in Personal Settings, which is presented to readers of articles; or (2) a file upload, as demonstrated by a .htm, .html, or .js file.
Max CVSS
4.3
EPSS Score
0.31%
Published
2008-02-28
Updated
2017-08-08
36 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!