Serendipity 2.0.3 is vulnerable to a SQL injection in the blog component resulting in information disclosure
7.5CVSS
7.5AI Score
0.001EPSS
Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
6.1CVSS
6.7AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
8.8CVSS
8.7AI Score
0.001EPSS
SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.
8.8CVSS
8.8AI Score
0.001EPSS
There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
8.8CVSS
8.5AI Score
0.001EPSS
Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin.
5.4CVSS
5.1AI Score
0.001EPSS
Serendipity before 2.1.5 has XSS via EXIF data that is mishandled in the templates/2k11/admin/media_choose.tpl Editor Preview feature or the templates/2k11/admin/media_items.tpl Media Library feature.
6.1CVSS
5.8AI Score
0.001EPSS
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
9.8CVSS
9.7AI Score
0.028EPSS
An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.
8.8CVSS
8.7AI Score
0.001EPSS