CVE-2016-9681

MEDIUM

S9Y Serendipity < 2.0.4 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95095

[Patch, Vendor Advisory] https://github.com/s9y/Serendipity/commit/e2a665e13b7de82a71c9bbb77575d15131b722be

View Patch ZIP pw:eip

[Exploit, Technical Description, Third Party Advisory] https://smarterbitbybit.com/cve-2016-9681-serendipity-cms-xss-vulnerability-in-version-2-0-4/

Scores

CVSS v3 5.4

EPSS 0.0024

EPSS Percentile 46.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (2)

s9y/serendipity < 2.0.4

n/a/n/a

Timeline

Published Dec 25, 2016

Tracked Since Feb 18, 2026