CVE-2012-2331

Serendipity <1.6.1 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).

Exploits (1)

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/18884

View on exploitdb

References (9)

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html

[Various Sources] http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html

[Vendor Advisory] http://secunia.com/advisories/49009

[Exploit] http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt

[Exploit] http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability.html

[Exploit] http://www.securityfocus.com/bid/53418

[Exploit, Patch] https://github.com/s9y/Serendipity/commit/264bf55719baacc069ff9d3cc35f0c349cde11e3

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/08/6

[Mailing List] http://www.openwall.com/lists/oss-security/2012/05/09/2

Scores

EPSS 0.1479

EPSS Percentile 94.4%

Classification

CWE

CWE-79

Status published

Affected Products (36)

s9y/serendipity < 1.6

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

s9y/serendipity

... and 21 more

Timeline

Published Aug 13, 2012

Tracked Since Feb 18, 2026