Serendipity 'serendipity_admin.php' Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Serendipity and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to steal cookie-based authentication credentials, disclosure or modification of sensitive data. Impact Level: Application

Solution

Upgrade to Serendipity version 1.5.4 or later. For updates refer to http://www.s9y.org/12.html

Insight

The flaw exists due to failure in the 'include/functions_entries.inc.php' script to properly sanitize user-supplied input in 'serendipity[body]' variable.

Affected

Serendipity prior to 1.5.4 and on all platforms.

References

http://blog.s9y.org/archives/223-Serendipity-1.5.4-released.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_serendipity.html
http://www.openwall.com/lists/oss-security/2010/08/29/3

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-2957
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:N/I:P/A:N

Related Vulnerabilities

OTRS installer.pl Password Disclosure Vulnerability
RemotelyAnywhere Cross Site Scripting
Packeteer Web Management Interface Version
Nikto (NASL wrapper)
Manx Multiple Cross Site Scripting and Directory Traversal Vulnerabilities

Take action and discover your vulnerabilities