CVSS: 6.1EPSS: 0%CPEs: 35EXPL: 5CVE-2012-2331 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2331
13 Aug 2012 — Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en Serendipity/serendipity_admin_image_selector.php en Serendipity antes de v1.6.1 permite a atacantes remotos inyectar secuencias de comandos... • https://www.exploit-db.com/exploits/18884 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 4CVE-2012-2332 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2332
13 Aug 2012 — SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de inyección SQL en serendipity/serendipity_admin.php en Serendipity antes de v1.6.1 permite a atacantes remotos ejecutar comandos SQL a través del parámetro serendipity[plugin_to_conf]. NOTA: este problema podría ser r... • https://www.exploit-db.com/exploits/18884 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 35EXPL: 0CVE-2012-2762
https://notcve.org/view.php?id=CVE-2012-2762
07 Jun 2012 — SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php. Vulnerabilidad de inyección SQL en include/functions_trackbacks.inc.php en Serendipity v1.6.2 permite a atacantes remotos ejecutar comandos SQL a través del parámetro URL en comment.php. • http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 54EXPL: 1CVE-2010-2957
https://notcve.org/view.php?id=CVE-2010-2957
10 Sep 2010 — Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Serendipity anteriores a v1.5.4, cuando el login "Remenber me" está activado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores desconocidos. • http://blog.s9y.org/archives/223-Serendipity-1.5.4-released.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 5%CPEs: 41EXPL: 2CVE-2010-1916
https://notcve.org/view.php?id=CVE-2010-1916
12 May 2010 — The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backen... • http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042577.html • CWE-264: Permissions, Privileges, and Access Controls •