CVE-2016-9752

Published: Dec 1, 2016Modified: May 6, 2026

8.6

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.

Affected (1)

Products: S9y: Serendipity

S9y

1 product

Serendipity

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
S9y Serendipity	Up to 2.0.4

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

http://www.securityfocus.com/bid/94622

Source: cve@mitre.org

https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html

Source: cve@mitre.org

Vendor Advisory

https://github.com/s9y/Serendipity/commit/fbdd50a448ed87ba34ea8c56446b8f1873eadd6f

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

http://www.securityfocus.com/bid/94622

Source: af854a3a-2127-422b-91ae-364da2661108

https://blog.s9y.org/archives/271-Serendipity-2.0.5-and-2.1-beta3-released.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/s9y/Serendipity/commit/fbdd50a448ed87ba34ea8c56446b8f1873eadd6f

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.