Vulnerabilities > S9Y > Serendipity > 1.3.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2012-08-13 | CVE-2012-2332 | SQL Injection vulnerability in S9Y Serendipity SQL injection vulnerability in serendipity/serendipity_admin.php in Serendipity before 1.6.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[plugin_to_conf] parameter. | 7.5 |
2012-08-13 | CVE-2012-2331 | Cross-Site Scripting vulnerability in S9Y Serendipity Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. | 4.3 |
2012-06-07 | CVE-2012-2762 | SQL Injection vulnerability in S9Y Serendipity SQL injection vulnerability in include/functions_trackbacks.inc.php in Serendipity 1.6.2 allows remote attackers to execute arbitrary SQL commands via the url parameter to comment.php. | 7.5 |
2010-09-10 | CVE-2010-2957 | Cross-Site Scripting vulnerability in S9Y Serendipity Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2.6 |
2010-05-12 | CVE-2010-1916 | Permissions, Privileges, and Access Controls vulnerability in multiple products The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. | 7.5 |
2009-12-24 | CVE-2009-4412 | File-Upload vulnerability in Serendipity Unrestricted file upload vulnerability in Serendipity before 1.5 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory. network s9y | 6.0 |