CVE-2012-2331

Published: Aug 13, 2012Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in serendipity/serendipity_admin_image_selector.php in Serendipity before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the serendipity[textarea] parameter. NOTE: this issue might be resultant from cross-site request forgery (CSRF).

Affected (35)

Products: S9y: Serendipity

1 product

Configuration A

35 vulnerable

Vulnerable Software	Affected Versions
S9y Serendipity	Up to 1.6
S9y Serendipity	Version 0.3
S9y Serendipity	Version 0.4
S9y Serendipity	Version 0.7.1
S9y Serendipity	Version 0.7
S9y Serendipity	Version 0.8.1
S9y Serendipity	Version 0.8.2
S9y Serendipity	Version 0.8.3
S9y Serendipity	Version 0.8.4
S9y Serendipity	Version 0.8.5
S9y Serendipity	Version 0.8
S9y Serendipity	Version 0.9.1
S9y Serendipity	Version 0.9
S9y Serendipity	Version 1.0.1
S9y Serendipity	Version 1.0.2
S9y Serendipity	Version 1.0.3
S9y Serendipity	Version 1.0.4
S9y Serendipity	Version 1.0
S9y Serendipity	Version 1.1.1
S9y Serendipity	Version 1.1.2
S9y Serendipity	Version 1.1.3
S9y Serendipity	Version 1.1.4
S9y Serendipity	Version 1.1
S9y Serendipity	Version 1.2.1
S9y Serendipity	Version 1.2
S9y Serendipity	Version 1.3.1
S9y Serendipity	Version 1.3
S9y Serendipity	Version 1.4.1
S9y Serendipity	Version 1.4
S9y Serendipity	Version 1.5.1
S9y Serendipity	Version 1.5.2
S9y Serendipity	Version 1.5.3
S9y Serendipity	Version 1.5.4
S9y Serendipity	Version 1.5.5
S9y Serendipity	Version 1.6.1

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (18)

http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html

Source: secalert@redhat.com

http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html

Source: secalert@redhat.com

http://secunia.com/advisories/49009

Source: secalert@redhat.com

Vendor Advisory

http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt

Source: secalert@redhat.com

Exploit

http://www.openwall.com/lists/oss-security/2012/05/08/6

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2012/05/09/2

Source: secalert@redhat.com

http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability.html

Source: secalert@redhat.com

Exploit

http://www.securityfocus.com/bid/53418

Source: secalert@redhat.com

Exploit

https://github.com/s9y/Serendipity/commit/264bf55719baacc069ff9d3cc35f0c349cde11e3

Source: secalert@redhat.com

ExploitPatch

http://archives.neohapsis.com/archives/bugtraq/2012-05/0037.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://blog.s9y.org/archives/240-Serendipity-1.6.1-released.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/49009

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.koramis.com/advisories/2012/KORAMIS-ADV2012-001.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.openwall.com/lists/oss-security/2012/05/08/6

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2012/05/09/2

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.rul3z.de/index.php?/214-KORAMISADV2012-001-Serendipity-1.6-Backend-Cross-Site-Scripting-and-SQL-Injection-vulnerability.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.securityfocus.com/bid/53418

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://github.com/s9y/Serendipity/commit/264bf55719baacc069ff9d3cc35f0c349cde11e3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

Timeline

No history available yet.