CVE-2016-10737

Found a bug? Tell us!!
Post Reply
hsalo
Posts: 1
Joined: Mon Jan 21, 2019 11:13 am

CVE-2016-10737

Post by hsalo » Mon Jan 21, 2019 11:33 am

Hello,

Vulnerability CVE-2016-10737 is described as:

Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.

with https://www.exploit-db.com/exploits/40650 as reference.

In what release is this vulnerability fixed?

User avatar
onli
Regular
Posts: 2370
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli » Wed Jan 23, 2019 5:48 pm

https://github.com/s9y/Serendipity/releases/tag/2.1.3 might reference that with "Prevent XSS in the "Edit entries" panel".

cervoise
Posts: 2
Joined: Wed May 20, 2020 1:55 pm

Re: CVE-2016-10737

Post by cervoise » Wed May 20, 2020 2:01 pm

Hi,

I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?

User avatar
onli
Regular
Posts: 2370
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli » Wed May 20, 2020 2:38 pm

In the entries list or in the entry itself?

cervoise
Posts: 2
Joined: Wed May 20, 2020 1:55 pm

Re: CVE-2016-10737

Post by cervoise » Fri May 22, 2020 1:16 pm

I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?

User avatar
onli
Regular
Posts: 2370
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli » Fri May 22, 2020 3:27 pm

Yes. An editor can put HTML and Javascript in the entry by default, so that's by design. There is a plugin for that if you don't trust your editors, that's serendipity_event_xsstrust, it's in spartacus.

Post Reply