Vulnerabilities > S9Y > Serendipity > 1.5.5

DATE CVE VULNERABILITY TITLE RISK
2020-03-25 CVE-2020-10964 Unrestricted Upload of File with Dangerous Type vulnerability in S9Y Serendipity
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot.
network
low complexity
s9y CWE-434
7.5
2020-01-22 CVE-2011-3610 Cross-site Scripting vulnerability in S9Y Serendipity Event Freetag
A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.
network
s9y CWE-79
4.3
2019-11-26 CVE-2011-4090 Cross-site Scripting vulnerability in S9Y Serendipity
Serendipity before 1.6 has an XSS issue in the karma plugin which may allow privilege escalation.
network
s9y CWE-79
4.3
2019-05-09 CVE-2019-11870 Cross-site Scripting vulnerability in S9Y Serendipity
Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
network
s9y CWE-79
4.3
2017-01-14 CVE-2017-5476 Cross-Site Request Forgery (CSRF) vulnerability in S9Y Serendipity
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
network
s9y CWE-352
6.8
2017-01-14 CVE-2017-5475 Cross-Site Request Forgery (CSRF) vulnerability in S9Y Serendipity
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
network
s9y CWE-352
6.8
2017-01-14 CVE-2017-5474 Open Redirect vulnerability in S9Y Serendipity
Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
network
s9y CWE-601
5.8
2016-12-30 CVE-2016-10082 Improper Access Control vulnerability in S9Y Serendipity
include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
network
low complexity
s9y CWE-284
7.5
2016-12-25 CVE-2016-9681 Cross-site Scripting vulnerability in S9Y Serendipity
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.
network
s9y CWE-79
3.5
2016-12-01 CVE-2016-9752 Server-Side Request Forgery (SSRF) vulnerability in S9Y Serendipity
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.
network
low complexity
s9y CWE-918
5.0