Serendipity 'serendipity_admin.php' Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is running Serendipity and is prone to cross site scripting vulnerability.

Impact

Successful exploitation will allow attacker to steal cookie-based authentication credentials, disclosure or modification of sensitive data. Impact Level: Application

Solution

Upgrade to Serendipity version 1.5.4 or later. For updates refer to http://www.s9y.org/12.html

Insight

The flaw exists due to failure in the 'include/functions_entries.inc.php' script to properly sanitize user-supplied input in 'serendipity[body]' variable.

Affected

Serendipity prior to 1.5.4 and on all platforms.

References

http://blog.s9y.org/archives/223-Serendipity-1.5.4-released.html
http://www.htbridge.ch/advisory/xss_vulnerability_in_serendipity.html
http://www.openwall.com/lists/oss-security/2010/08/29/3

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-2957

CVSS	Base Score: 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Related Vulnerabilities

DIRB (NASL wrapper)
phpBB 'includes/message_parser.php' HTML Injection Vulnerability
Nakid CMS 'CKEditorFuncNum' Parameter Cross Site Scripting Vulnerability
Detects LDU version
Nagios XI 'users.php' Multiple Cross-Site Scripting Vulnerabilities

Take action and discover your vulnerabilities