CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2016-9681
https://notcve.org/view.php?id=CVE-2016-9681
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name. Múltiples vulnerabilidades de XSS en Serendipity en versiones anteriores a 2.0.5 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de categoría o directorio. • http://www.securityfocus.com/bid/95095 https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be https://smarterbitbybit.com/cve-2016-9681-serendipity-cms-xss-vulnerability-in-version-2-0-4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9752
https://notcve.org/view.php?id=CVE-2016-9752
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code. En Serendipity en versiones anteriores a 2.0.5, un atacante puede eludir la protección SSRF utilizando una dirección IP malformada (e.g., http://127.1) o un código de estado HTTP 30x (también conocido como Redirection). • http://www.securityfocus.com/bid/94622 https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html https://github.com/s9y/Serendipity/commit/fbdd50a448ed87ba34ea8c56446b8f1873eadd6f • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2015-8603 – Serendipity 2.0.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-8603
Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php. Vulnerabilidad de XSS en Serendipity en versiones anteriores a 2.0.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro serendipity[entry_id] en una acción de admin "edit" para serendipity_admin.php. Serendipity version 2.0.2 suffers from a cross site scripting vulnerability. • http://blog.s9y.org/archives/266-Serendipity-2.0.3-released.html http://packetstormsecurity.com/files/135164/Serendipity-2.0.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2016/Jan/18 http://www.securityfocus.com/archive/1/537248/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2015-6969
https://notcve.org/view.php?id=CVE-2015-6969
Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 theme in Serendipity before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via a user name in a comment, which is not properly handled in a Reply link. Vulnerabilidad de XSS en js/2k11.min.js en el tema 2k11 en Serendipity en versiones anteriores a 2.0.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de usuario en un comentario, lo cual no es manejado adecuadamente en un enlace Reply. • http://blog.curesec.com/article/blog/Serendipity-201-Persistent-XSS-51.html http://blog.s9y.org/archives/265-Serendipity-2.0.2-Security-Fix-Release.html http://packetstormsecurity.com/files/133427/Serendipity-2.0.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 3CVE-2015-6968
https://notcve.org/view.php?id=CVE-2015-6968
Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .pht or (2) .phtml extension. Múltiples vulnerabilidades de lista negra incompleta en la función serendipity_isActiveFile en include/functions_images.inc.php en Serendipity en versiones anteriores a 2.0.2, permite a usuarios remotos autenticados ejecutar código PHP arbitrario mediante la carga de un archivo con una extensión (1) .pht o (2) .phtml. • http://blog.curesec.com/article/blog/Serendipity-201-Code-Execution-48.html http://blog.s9y.org/archives/265-Serendipity-2.0.2-Security-Fix-Release.html http://packetstormsecurity.com/files/133426/Serendipity-2.0.1-Shell-Upload.html http://seclists.org/fulldisclosure/2015/Sep/6 •