S9Y Serendipity 1.3.1

CPE Details

S9Y Serendipity 1.3.1
s9y
serendipity
1.3.1
2009-12-28
18h19 +00:00
2012-06-29
12h54 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:s9y:serendipity:1.3.1:*:*:*:*:*:*:*

Informations

Vendor

s9y

Product

serendipity

Version

1.3.1

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2020-10964 2020-03-25 20h53 +00:00 Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
9.8
Critique
CVE-2011-4090 2019-11-26 03h09 +00:00 Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.
6.1
Moyen
CVE-2011-1135 2019-11-05 19h10 +00:00 Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in plugins/ExtendedFileManager/manager.php and plugins/ImageManager/manager.php.
6.1
Moyen
CVE-2011-1134 2019-11-05 19h07 +00:00 Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.
9.8
Critique
CVE-2011-1133 2019-11-05 19h03 +00:00 Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php.
6.1
Moyen
CVE-2019-11870 2019-05-09 19h25 +00:00 Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
6.1
Moyen
CVE-2017-5474 2017-01-14 05h56 +00:00 Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
6.1
Moyen
CVE-2017-5475 2017-01-14 05h56 +00:00 comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
8.8
Haute
CVE-2017-5476 2017-01-14 05h56 +00:00 Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
8.8
Haute
CVE-2016-10082 2016-12-30 06h08 +00:00 include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
9.8
Critique
CVE-2016-9681 2016-12-25 16h00 +00:00 Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
5.4
Moyen
CVE-2016-9752 2016-12-01 10h00 +00:00 In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.
8.6
Haute
CVE-2015-8603 2016-01-12 18h00 +00:00 Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php.
5.4
Moyen
CVE-2015-6968 2015-09-16 14h00 +00:00 Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .pht or (2) .phtml extension.
6.5
CVE-2015-6969 2015-09-16 14h00 +00:00 Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 theme in Serendipity before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via a user name in a comment, which is not properly handled in a Reply link.
4.3
CVE-2015-6943 2015-09-15 16h00 +00:00 SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php.
6
CVE-2015-2289 2015-03-23 15h00 +00:00 Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entries.tpl in Serendipity before 2.0.1 allows remote authenticated editors to inject arbitrary web script or HTML via the serendipity[cat][name] parameter to serendipity_admin.php, when creating a new category.
3.5
CVE-2013-5670 2013-11-05 18h00 +00:00 Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter.
4.3
CVE-2013-5314 2013-08-19 20h00 +00:00 Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the serendipity[htmltarget] parameter.
4.3
CVE-2012-2331 2012-08-13 23h00 +00:00 Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).
4.3
CVE-2012-2332 2012-08-13 23h00 +00:00 SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).
7.5
CVE-2012-2762 2012-06-07 17h00 +00:00 SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php.
7.5
CVE-2010-2957 2010-09-10 17h00 +00:00 Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2.6
CVE-2010-1916 2010-05-11 22h00 +00:00 The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.
7.5
CVE-2009-4412 2009-12-24 15h00 +00:00 Unrestricted file upload vulnerability in Serendipity before 1.5 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory. NOTE: some of these details are obtained from third party information.
6