Filtered by vendor S9y
Subscriptions
Filtered by product Serendipity
Subscriptions
Total
53 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2004-2158 | 1 S9y | 1 Serendipity | 2017-07-11 | N/A |
SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php. | ||||
CVE-2004-2157 | 1 S9y | 1 Serendipity | 2017-07-11 | N/A |
Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity 0.7 beta1, and possibly other versions before 0.7-beta3, allows remote attackers to inject arbitrary HTML and PHP code via the (1) email or (2) username field. | ||||
CVE-2004-1620 | 1 S9y | 1 Serendipity | 2017-07-11 | N/A |
CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php. | ||||
CVE-2017-5475 | 1 S9y | 1 Serendipity | 2017-01-25 | N/A |
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments. | ||||
CVE-2017-5476 | 1 S9y | 1 Serendipity | 2017-01-25 | N/A |
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin. | ||||
CVE-2017-5474 | 1 S9y | 1 Serendipity | 2017-01-25 | N/A |
Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. | ||||
CVE-2016-10082 | 1 S9y | 1 Serendipity | 2017-01-03 | N/A |
include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file. | ||||
CVE-2016-9681 | 1 S9y | 1 Serendipity | 2016-12-30 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name. | ||||
CVE-2016-9752 | 1 S9y | 1 Serendipity | 2016-12-26 | N/A |
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code. | ||||
CVE-2015-6943 | 1 S9y | 1 Serendipity | 2016-12-22 | N/A |
SQL injection vulnerability in the serendipity_checkCommentToken function in include/functions_comments.inc.php in Serendipity before 2.0.2, when "Use Tokens for Comment Moderation" is enabled, allows remote administrators to execute arbitrary SQL commands via the serendipity[id] parameter to serendipity_admin.php. | ||||
CVE-2006-2495 | 1 S9y | 1 Serendipity | 2011-03-08 | N/A |
Cross-site request forgery (CSRF) vulnerability in the Entry Manager in Serendipity before 1.0-beta3 allows remote attackers to perform unauthorized actions as a logged-in user via a link or IMG tag. | ||||
CVE-2010-1916 | 2 S9y, Xinha | 2 Serendipity, Wysiwyg Editor | 2010-06-13 | N/A |
The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin. | ||||
CVE-2006-1910 | 1 S9y | 1 Serendipity | 2008-09-05 | N/A |
config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |