Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3-beta1 allows remote authenticated users to inject arbitrary web script or HTML via (1) the "Real name" field in Personal Settings, which is presented to readers of articles; or (2) a file upload, as demonstrated by a .htm, .html, or .js file.
Software | From | Fixed in |
---|---|---|
s9y / serendipity | 0.3 | 0.3.x |
s9y / serendipity | 0.4 | 0.4.x |
s9y / serendipity | 0.5 | 0.5.x |
s9y / serendipity | 0.5_pl1 | 0.5_pl1.x |
s9y / serendipity | 0.6 | 0.6.x |
s9y / serendipity | 0.6_pl1 | 0.6_pl1.x |
s9y / serendipity | 0.6_pl2 | 0.6_pl2.x |
s9y / serendipity | 0.6_pl3 | 0.6_pl3.x |
s9y / serendipity | 0.6_rc1 | 0.6_rc1.x |
s9y / serendipity | 0.6_rc2 | 0.6_rc2.x |
s9y / serendipity | 0.7 | 0.7.x |
s9y / serendipity | 0.7_beta1 | 0.7_beta1.x |
s9y / serendipity | 0.7_beta2 | 0.7_beta2.x |
s9y / serendipity | 0.7_beta3 | 0.7_beta3.x |
s9y / serendipity | 0.7_beta4 | 0.7_beta4.x |
s9y / serendipity | 0.7_rc1 | 0.7_rc1.x |
s9y / serendipity | 0.7.1 | 0.7.1.x |
s9y / serendipity | 0.8 | 0.8.x |
s9y / serendipity | 0.8_beta_6_snapshot | 0.8_beta_6_snapshot.x |
s9y / serendipity | 0.8_beta5 | 0.8_beta5.x |
s9y / serendipity | 0.8_beta6 | 0.8_beta6.x |
s9y / serendipity | 0.8.1 | 0.8.1.x |
s9y / serendipity | 0.8.2 | 0.8.2.x |
s9y / serendipity | 0.9.1 | 0.9.1.x |
s9y / serendipity | 1.0_beta2 | 1.0_beta2.x |
s9y / serendipity | 1.0_beta3 | 1.0_beta3.x |
s9y / serendipity | 1.0.3 | 1.0.3.x |
s9y / serendipity | 1.0.4 | 1.0.4.x |
s9y / serendipity | 1.1.1 | 1.1.1.x |
s9y / serendipity | 1.1.3 | 1.1.3.x |
s9y / serendipity | 1.1.4 | 1.1.4.x |
s9y / serendipity | 1.2 | 1.2.x |
s9y / serendipity | 1.2__beta5 | 1.2__beta5.x |
s9y / serendipity | 1.2.1 | 1.2.1.x |