Vulnerabilities > S9Y > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-01-14 CVE-2017-5474 Open Redirect vulnerability in S9Y Serendipity
Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
network
s9y CWE-601
5.8
2016-12-01 CVE-2016-9752 Server-Side Request Forgery (SSRF) vulnerability in S9Y Serendipity
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.
network
low complexity
s9y CWE-918
5.0
2015-09-16 CVE-2015-6969 Cross-site Scripting vulnerability in S9Y Serendipity
Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 theme in Serendipity before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via a user name in a comment, which is not properly handled in a Reply link.
network
s9y CWE-79
4.3
2015-09-16 CVE-2015-6968 Unspecified vulnerability in S9Y Serendipity
Multiple incomplete blacklist vulnerabilities in the serendipity_isActiveFile function in include/functions_images.inc.php in Serendipity before 2.0.2 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .pht or (2) .phtml extension.
network
low complexity
s9y
6.5
2015-09-15 CVE-2015-6943 SQL Injection vulnerability in S9Y Serendipity
SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php.
network
s9y CWE-89
6.0
2014-12-31 CVE-2014-9432 Cross-Site Scripting vulnerability in S9Y Serendipity 2.0
Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php.
network
s9y CWE-79
4.3
2013-11-05 CVE-2013-5670 Cross-Site Scripting vulnerability in S9Y Serendipity
Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter.
network
s9y CWE-79
4.3
2013-08-19 CVE-2013-5314 Cross-Site Scripting vulnerability in S9Y Serendipity
Cross-site scripting (XSS) vulnerability in serendipity_admin_image_selector.php in Serendipity 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the serendipity[htmltarget] parameter.
network
s9y CWE-79
4.3
2012-08-13 CVE-2012-2331 Cross-Site Scripting vulnerability in S9Y Serendipity
Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter.
network
s9y CWE-79
4.3
2011-09-24 CVE-2011-3800 Information Exposure vulnerability in S9Y Serendipity 1.5.5
Serendipity 1.5.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by templates/newspaper/layout.php and certain other files.
network
low complexity
s9y CWE-200
5.0