S9Y Security Vulnerabilities
SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.
8.8CVSS
8.8AI Score
0.001EPSS
There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
8.8CVSS
8.5AI Score
0.001EPSS
Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.
5.4CVSS
5.1AI Score
0.001EPSS
Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
6.1CVSS
5.8AI Score
0.001EPSS
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
9.8CVSS
9.7AI Score
0.028EPSS
An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.
8.8CVSS
8.7AI Score
0.001EPSS