Cross-Site Scripting Vulnerability in Serendipity Blog Software
CVE-2019-11870

6.1MEDIUM

Key Information:

Vendor

S9y

Status
Serendipity
Vendor
CVE Published:
9 May 2019

What is CVE-2019-11870?

Prior to version 2.1.5, the Serendipity blogging software suffered from a cross-site scripting (XSS) vulnerability. This flaw arises from improper handling of EXIF data in the Editor Preview feature located in templates/2k11/admin/media_choose.tpl and the Media Library feature found in templates/2k11/admin/media_items.tpl. An attacker could exploit this vulnerability to inject malicious scripts, potentially compromising the security of users accessing impacted areas of the application.

References

https://blog.s9y.org/archives/282-Serendipity-2.1.5-relea...
x_refsource_MISC
https://www.openwall.com/lists/oss-security/2019/05/03/3
x_refsource_MISC
https://github.com/s9y/Serendipity/issues/598
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.