CVSS: 7.5EPSS: 0%CPEs: 35EXPL: 4CVE-2012-2332 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2332
SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de inyección SQL en serendipity/serendipity_admin.php en Serendipity antes de v1.6.1 permite a atacantes remotos ejecutar comandos SQL a través del parámetro serendipity[plugin_to_conf]. NOTA: este problema podría ser resultante de una falsificación de solicitudes en sitios cruzados (CSRF). • https://www.exploit-db.com/exploits/18884 http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt http://www.openwall.com/lists/oss-security/2012/05/08/6 http://www.openwall.com/lists/oss-security/2012/05/09/2 http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability. • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 5CVE-2012-2331 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2331
Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en Serendipity/serendipity_admin_image_selector.php en Serendipity antes de v1.6.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro serendipity[textarea]. NOTA: este problema podría ser resultante de una falsificación de solicitudes en sitios cruzados(CSRF). • https://www.exploit-db.com/exploits/18884 http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html http://secunia.com/advisories/49009 http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt http://www.openwall.com/lists/oss-security/2012/05/08/6 http://www.openwall.com/lists/oss-security/2012/05/09/2 http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Si • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 35EXPL: 0CVE-2012-2762 – Serendipity 1.6.1 SQL Injection
https://notcve.org/view.php?id=CVE-2012-2762
SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php. Vulnerabilidad de inyección SQL en include/functions_trackbacks.inc.php en Serendipity v1.6.2 permite a atacantes remotos ejecutar comandos SQL a través del parámetro URL en comment.php. Serendipity version 1.6.1 suffers from a remote SQL injection vulnerability. • http://blog.s9y.org/archives/241-Serendipity-1.6.2-released.html http://secunia.com/advisories/49234 http://www.osvdb.org/82036 http://www.securityfocus.com/bid/53620 http://www.securitytracker.com/id?1027079 https://exchange.xforce.ibmcloud.com/vulnerabilities/75760 https://github.com/s9y/Serendipity/commit/87153991d06bc18fe4af05f97810487c4a340a92#diff-1 https://www.htbridge.com/advisory/HTB23092 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3800
https://notcve.org/view.php?id=CVE-2011-3800
Serendipity 1.5.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by templates/newspaper/layout.php and certain other files. Serendipity v1.5.5 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con templates/newspaper/layout.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/serendipity-1.5.5 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.6EPSS: 0%CPEs: 54EXPL: 1CVE-2010-2957
https://notcve.org/view.php?id=CVE-2010-2957
Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Serendipity anteriores a v1.5.4, cuando el login "Remenber me" está activado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores desconocidos. • http://blog.s9y.org/archives/223-Serendipity-1.5.4-released.html http://www.htbridge.ch/advisory/xss_vulnerability_in_serendipity.html http://www.openwall.com/lists/oss-security/2010/08/29/3 http://www.openwall.com/lists/oss-security/2010/08/31/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •