cbcvebase.

S9Y Serendipity vulnerabilities

58 known vulnerabilities affecting s9y/serendipity.

Total CVEs
58
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH19MEDIUM31LOW2

Vulnerabilities

Page 2 of 3
CVE-2017-1000129P3HIGHCVSS 7.5v2.0.32017-11-17
CVE-2017-1000129 [HIGH] CWE-89 CVE-2017-1000129: Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information di Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure
nvd
CVE-2013-5314P4MEDIUMCVSS 4.3PoC≤ 1.6.2v0.3+34 more2013-08-19
CVE-2013-5314 [MEDIUM] CWE-79 CVE-2013-5314: Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6. Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the serendipity[htmltarget] parameter.
nvd
CVE-2005-1451P3HIGHCVSS 7.5v0.3v0.4+11 more2005-05-03
CVE-2005-1451 [HIGH] CVE-2005-1451: The media manager in Serendipity before 0.8 allows remote attackers to upload and execute arbitrary The media manager in Serendipity before 0.8 allows remote attackers to upload and execute arbitrary (1) .php or (2) .shtml files.
nvd
CVE-2026-39963P3MEDIUMCVSS 6.9fixed in 2.6.0v2.6.02026-04-15
CVE-2026-39963 [MEDIUM] CWE-565 CVE-2026-39963: Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCoo Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host header at login time, such as via MITM, reverse proxy misconfiguration, or lo
ghsanvd
CVE-2017-8101P3HIGHCVSS 8.8v2.0.52017-04-24
CVE-2017-8101 [HIGH] CWE-352 CVE-2017-8101: There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request. There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
nvd
CVE-2017-5475P3HIGHCVSS 8.8≤ 2.0.52017-01-14
CVE-2017-5475 [HIGH] CWE-352 CVE-2017-5475: comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments. comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
nvd
CVE-2015-6968P3MEDIUMCVSS 6.5≤ 2.0.12015-09-16
CVE-2015-6968 [MEDIUM] CVE-2015-6968: Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/fu Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .pht or (2) .phtml extension.
nvd
CVE-2015-6943P3MEDIUMCVSS 6.0≤ 2.0.12015-09-15
CVE-2015-6943 [MEDIUM] CWE-89 CVE-2015-6943: SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comme SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php.
nvd
CVE-2017-5476P4HIGHCVSS 8.8≤ 2.0.52017-01-14
CVE-2017-5476 [HIGH] CWE-352 CVE-2017-5476: Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
nvd
CVE-2009-4412P4MEDIUMCVSS 6.0≤ 1.5v0.3+29 more2009-12-24
CVE-2009-4412 [MEDIUM] CVE-2009-4412: Unrestricted file upload vulnerability in Serendipity before 1.5 allows remote authenticated users t Unrestricted file upload vulnerability in Serendipity before 1.5 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory. NOTE: some of these details are obtained from third party information.
nvd
CVE-2011-1135P4MEDIUMCVSS 6.1fixed in 1.5.52019-11-05
CVE-2011-1135 [MEDIUM] CWE-79 CVE-2011-1135: Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows rem Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php.
nvd
CVE-2005-1452P4CRITICALCVSS 10.0v0.3v0.4+4 more2005-05-03
CVE-2005-1452 [CRITICAL] CVE-2005-1452: Serendipity before 0.8 allows Chief users to "hide plugins installed by other users." Serendipity before 0.8 allows Chief users to "hide plugins installed by other users."
nvd
CVE-2006-1910P4HIGHCVSS 7.5v1.0_beta22006-04-20
CVE-2006-1910 [HIGH] CVE-2006-1910: config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by edi config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
nvd
CVE-2011-1133P4MEDIUMCVSS 6.1fixed in 1.5.52019-11-05
CVE-2011-1133 [MEDIUM] CWE-79 CVE-2011-1133: Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows rem Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
nvd
CVE-2006-2495P4HIGHCVSS 7.5v0.3v0.4+16 more2006-05-20
CVE-2006-2495 [HIGH] CVE-2006-2495: Cross-site request forgery (CSRF) vulnerability in the Entry Manager in Serendipity before 1.0-beta3 Cross-site request forgery (CSRF) vulnerability in the Entry Manager in Serendipity before 1.0-beta3 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag.
nvd
CVE-2005-1449P4CRITICALCVSS 10.0v0.3v0.4+11 more2005-05-03
CVE-2005-1449 [CRITICAL] CVE-2005-1449: Unknown vulnerability in serendipity_config_local.inc.php for Serendipity before 0.8 has unknown imp Unknown vulnerability in serendipity_config_local.inc.php for Serendipity before 0.8 has unknown impact.
nvd
CVE-2017-8102P4MEDIUMCVSS 5.4v2.12017-04-24
CVE-2017-8102 [MEDIUM] CWE-79 CVE-2017-8102: Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other informati Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.
nvd
CVE-2023-53932P4MEDIUMCVSS 5.4v2.4.02025-12-17
CVE-2023-53932 [MEDIUM] CWE-79 CVE-2023-53932: Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated use Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post.
nvd
CVE-2019-11870P4MEDIUMCVSS 6.1fixed in 2.1.52019-05-09
CVE-2019-11870 [MEDIUM] CWE-79 CVE-2019-11870: Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_ Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
nvd
CVE-2016-9681P4MEDIUMCVSS 5.4≤ 2.0.42016-12-25
CVE-2016-9681 [MEDIUM] CWE-79 CVE-2016-9681: Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authent Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
nvd
S9Y Serendipity vulnerabilities | cvebase