CVSS: 4.3EPSS: 0%CPEs: 26EXPL: 0CVE-2008-1476
https://notcve.org/view.php?id=CVE-2008-1476
Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to received trackbacks. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Serendipity (S9Y) antes de 1.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados relacionados con trackbacks recibidos. • http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html http://secunia.com/advisories/29398 http://secunia.com/advisories/29502 http://www.debian.org/security/2008/dsa-1528 http://www.securityfocus.com/bid/28298 http://www.vupen.com/english/advisories/2008/0925/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41343 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 34EXPL: 0CVE-2008-0124
https://notcve.org/view.php?id=CVE-2008-0124
Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3-beta1 allows remote authenticated users to inject arbitrary web script or HTML via (1) the "Real name" field in Personal Settings, which is presented to readers of articles; or (2) a file upload, as demonstrated by a .htm, .html, or .js file. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Serendipity (S9Y) anterior a 1.3-beta 1, permite a usuarios autenticados remotamente inyectar secuencias de comandos Web de su elección o HTML a través de (1) el campo "Real name" de Personal Settings, el cuál es mostrado a los lectores de los artículos; o (2) la subida de un fichero, como se ha demostrado mediante un fichero .htm, .html, o .js. • http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html http://int21.de/cve/CVE-2008-0124-s9y.html http://secunia.com/advisories/29128 http://secunia.com/advisories/29502 http://www.debian.org/security/2008/dsa-1528 http://www.securityfocus.com/bid/28003 http://www.securitytracker.com/id?1019502 http://www.vupen.com/english/advisories/2008/0700/references https://exchange.xforce.ibmcloud.com/vulnerabilities/40851 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-6390
https://notcve.org/view.php?id=CVE-2007-6390
Cross-site request forgery (CSRF) vulnerability in the mycalendar plugin before 0.13 for Serendipity allows remote attackers to perform actions as blog administrators, which can be leveraged to conduct cross-site scripting (XSS) attacks on the blog page. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin mycalendar versiones anteriores a 0.13 para Serendipity, permite a los atacantes remotos realizar acciones como administradores de blogs, que pueden ser aprovechadas para conducir ataques de tipo cross-site scripting (XSS) en la página blog. • http://secunia.com/advisories/28152 http://www.hboeck.de/archives/572-Some-XSS-issues-in-Serendipity-found.html http://www.securityfocus.com/bid/26955 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 37EXPL: 1CVE-2007-6205
https://notcve.org/view.php?id=CVE-2007-6205
Cross-site scripting (XSS) vulnerability in the remote RSS sidebar plugin (serendipity_plugin_remoterss) in S9Y Serendipity before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via a link in an RSS feed. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en el añadido del lector RSS remoto de la barra lateral (serendipity_plugin_remoterss) en S9Y Serendipity before 1.2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un enlace en un alimentador RSS. The Serendipity blog system contains a plugin to display the content of feeds in the sidebar (serendipity_plugin_remoterss). If an attacker can modify the RSS feed, it is possible to inject javascript code in the link part, because it is not correctly escaped. Versions below 1.2.1 are affected. • http://blog.s9y.org/archives/187-Serendipity-1.2.1-released.html http://osvdb.org/39143 http://secunia.com/advisories/28012 http://secunia.com/advisories/29502 http://securityreason.com/securityalert/3437 http://www.debian.org/security/2008/dsa-1528 http://www.int21.de/cve/CVE-2007-6205-s9y.html http://www.securityfocus.com/archive/1/484800/100/0/threaded http://www.securityfocus.com/bid/26783 http://www.vupen.com/english/advisories/2007/4171 https://exchange. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 3%CPEs: 1EXPL: 0CVE-2007-4282
https://notcve.org/view.php?id=CVE-2007-4282
The "Extended properties for entries" (entryproperties) plugin in serendipity_event_entryproperties.php in Serendipity 1.1.3 allows remote authenticated users to bypass password protection and "deliver custom entryproperties settings to the Serendipity Frontend" via a certain request that modifies the password being checked. La extensión de "Propiedades extendidas de entrada" (entryproperties) en el serendipity_event_entryproperties.php del Serendipity 1.1.3 permite a atacantes remotos autenticados, evitar la protección de la contraseña y "establecer una configuración de las entryproperties a medida en el Serendipity Frontend" a través de ciertas peticiones que modifican si la contraseña ha sido validada. • http://blog.drinsama.de/erich/en/security/2007080801-security-issue-in-serendipity.html http://blog.s9y.org/archives/178-Serendipity-1.1.4-released%2C-security-bug-in-entryproperties-plugin.html http://osvdb.org/36534 http://secunia.com/advisories/26347 http://sourceforge.net/forum/forum.php?forum_id=722867 http://sourceforge.net/project/shownotes.php?group_id=75065&release_id=530716 http://www.securityfocus.com/bid/25235 https://exchange.xforce.ibmcloud.com/vulnerabilities/35868 •