FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

serendipity -- multiple cross site scripting vulnerabilities

Affected packages
serendipity < 1.3.1
serendipity-devel < 200804242342

Details

VuXML ID 9c133aa0-12bd-11dd-bab7-0016179b2dd5
Discovery 2008-04-22
Entry 2008-04-25

Hanno Boeck reports:

The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely.

Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript.

In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS.

References

Bugtraq ID 28885
CVE Name CVE-2008-1385
CVE Name CVE-2008-1386
URL http://blog.s9y.org/archives/193-Serendipity-1.3.1-released.html
URL http://int21.de/cve/CVE-2008-1385-s9y.html
URL http://int21.de/cve/CVE-2008-1386-s9y.html