CVE-2017-8102 - OpenCVE

Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
S9y	Serendipity

Configuration 1 [-]

cpe:2.3:a:s9y:serendipity:2.1:rc1:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/fulldisclosure/2017/Apr/44	Exploit Third Party Advisory VDB Entry
https://github.com/s9y/Serendipity/issues/456	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:23:05

Updated: 2022-10-03T16:23:05

Reserved: 2022-10-03T00:00:00

Link: CVE-2017-8102

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-04-24T18:59:00.803

Modified: 2017-04-28T15:57:59.200

Link: CVE-2017-8102

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:s9y:serendipity:2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "6F3A96D8-7D15-4365-A30D-FD4A72D3141B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin."}, {"lang": "es", "value": "XSS almacenado en Serendipity v2.1-rc1 permite a un atacante robar una cookie de un administrador y otra informaci\u00f3n componiendo una nueva entrada como un usuario editor. Esto est\u00e1 relacionado con la falta del plugin serendipity_event_xsstrust plugin y un error set_config en ese plugin."}], "id": "CVE-2017-8102", "lastModified": "2017-04-28T15:57:59.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-24T18:59:00.803", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://seclists.org/fulldisclosure/2017/Apr/44"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/s9y/Serendipity/issues/456"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}