Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Serendipity 1.6.2 Cross Site Scripting

🗓️ 02 Feb 2026 00:00:00Reported by Omar KurtType 
packetstorm
 packetstorm🔗 packetstorm.news👁 111 Views

Cross-site scripting in Serendipity 1.6.2 allows remote script injection via the admin image selector with no authentication.

Code
Serendipity 1.6.2 - Cross-site Scripting
    Advisory ID: RO-13-002
    Severity: Medium
    Vendor: Serendipity
    Product: Serendipity
    Version: 1.6.2
    
    
    Overview #
    
    Multiple Cross-site Scripting (XSS) vulnerabilities exist in Serendipity version 1.6.2. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML.
    
    
    Vulnerability Details #
    
    Affected Versions: 1.6.2 and earlier
    
    Root Cause: Insufficient input validation and output encoding in the admin image selector.
    Technical Details #
    
    Vulnerable URLs in serendipity_admin_image_selector.php:
    
    /serendipity_admin_image_selector.php?serendipity[textarea]='%2Balert(0x000887)%2B'
    
    /serendipity_admin_image_selector.php?serendipity[htmltarget]='%2Balert(0x000A02)%2B'
    
    
    
    Exploitation Requirements #
    
        No authentication required
        Victim must click a crafted link
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Steal user session cookies
        Perform actions on behalf of users
        Redirect users to malicious websites
    
    
    
    Solution #
    
    Update to a patched version of Serendipity.
    
    
    References #
    
        Invicti Advisory NS-13-003
    
    Timeline:
    
        [2013-02-26] - First Contact
        [2013-03-04] - Sent Details
        [2013-07-12] - Advisory Released
    
    Credits: Omar Kurt

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2026 00:00Current
5.2Medium risk
Vulners AI Score5.2
Serendipitycross site scriptingadmin image selectorvulnerable version 1.6.2remote attacker
111