CVE-2014-9432
https://notcve.org/view.php?id=CVE-2014-9432
Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php. Múltiples vulnerabilidades de XSS en templates/2k11/admin/overview.inc.tpl en Serendipity anterior a 2.0-rc2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un comentario en un blog en QUERY_STRING en serendipity/index.php. • http://blog.s9y.org/archives/259-Serendipity-2.0-rc2-released.html http://packetstormsecurity.com/files/129709/CMS-Serendipity-2.0-rc1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Dec/108 http://sroesemann.blogspot.de/2014/12/bericht-zu-sroeadv-2014-02.html http://www.securityfocus.com/archive/1/534315/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/99464 https://github.com/s9y/Serendipity/commit/36cde3030aaa27a46bf94086e062dfe56b60230b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-5670
https://notcve.org/view.php?id=CVE-2013-5670
Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter. Vulnerabilidad cross-site scripting (XSS) en spell-check-savedicts.php en el módulo htmlarea SpellChecker, tal como se utiliza en Serendipity anterior a la versión 1.7.3 y posiblemente en otros productos, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro to_r_list. • http://blog.s9y.org/archives/250-Serendipity-1.7.3-released.html http://www.opensyscom.fr/Actualites/serendipity-xss-vulnerability.html http://www.openwall.com/lists/oss-security/2013/09/01/1 http://www.openwall.com/lists/oss-security/2013/09/01/3 http://www.osvdb.org/87395 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-5314 – S9Y Serendipity 1.6.2 - 'serendipity_admin_image_selector.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-5314
Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the serendipity[htmltarget] parameter. Vulnerabilidad XSS en serendipity_admin_image_selector.php en Serendipity 1.6.2 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro serendipity[htmltarget]. • https://www.exploit-db.com/exploits/38642 http://archives.neohapsis.com/archives/bugtraq/2013-07/0135.html https://www.mavitunasecurity.com/xss-vulnerabilities-in-serendipity • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2331 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2331
Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en Serendipity/serendipity_admin_image_selector.php en Serendipity antes de v1.6.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro serendipity[textarea]. NOTA: este problema podría ser resultante de una falsificación de solicitudes en sitios cruzados(CSRF). • https://www.exploit-db.com/exploits/18884 http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html http://secunia.com/advisories/49009 http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt http://www.openwall.com/lists/oss-security/2012/05/08/6 http://www.openwall.com/lists/oss-security/2012/05/09/2 http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Si • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2332 – S9Y Serendipity 1.6 - 'Backend' Cross-Site Scripting / SQL Injection
https://notcve.org/view.php?id=CVE-2012-2332
SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF). Una vulnerabilidad de inyección SQL en serendipity/serendipity_admin.php en Serendipity antes de v1.6.1 permite a atacantes remotos ejecutar comandos SQL a través del parámetro serendipity[plugin_to_conf]. NOTA: este problema podría ser resultante de una falsificación de solicitudes en sitios cruzados (CSRF). • https://www.exploit-db.com/exploits/18884 http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt http://www.openwall.com/lists/oss-security/2012/05/08/6 http://www.openwall.com/lists/oss-security/2012/05/09/2 http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability. • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •