S9Y : Security Vulnerabilities, CVEs, CVSS score >= 8
An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows attackers to execute arbitrary code via a crafted HTML or Javascript file.
Max CVSS
8.8
EPSS Score
0.07%
Published
2023-05-16
Updated
2023-05-23
Serendipity before 2.3.4 on Windows allows remote attackers to execute arbitrary code because the filename of a renamed file may end with a dot. This file may then be renamed to have a .php filename.
Max CVSS
9.8
EPSS Score
2.22%
Published
2020-03-25
Updated
2020-03-27
There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.
Max CVSS
8.8
EPSS Score
0.09%
Published
2017-04-24
Updated
2017-04-27
SQL injection vulnerability in include/functions_entries.inc.php in Serendipity 2.0.5 allows remote authenticated users to execute arbitrary SQL commands via the cat parameter.
Max CVSS
8.8
EPSS Score
0.14%
Published
2017-01-28
Updated
2019-03-19
Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-01-14
Updated
2017-01-25
comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.
Max CVSS
8.8
EPSS Score
0.07%
Published
2017-01-14
Updated
2017-01-25
serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.
Max CVSS
9.8
EPSS Score
0.43%
Published
2019-05-24
Updated
2019-05-29
include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
Max CVSS
9.8
EPSS Score
0.60%
Published
2016-12-30
Updated
2017-01-03
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.
Max CVSS
8.6
EPSS Score
0.20%
Published
2016-12-01
Updated
2016-12-03
Cross-Site Scripting (XSS) in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code in the image manager.
Max CVSS
9.8
EPSS Score
1.34%
Published
2019-11-05
Updated
2019-11-08
Serendipity before 0.8 allows Chief users to "hide plugins installed by other users."
Max CVSS
10.0
EPSS Score
0.26%
Published
2005-05-03
Updated
2008-09-05
Unknown vulnerability in serendipity_config_local.inc.php for Serendipity before 0.8 has unknown impact.
Max CVSS
10.0
EPSS Score
0.21%
Published
2005-05-03
Updated
2008-09-05
12 vulnerabilities found