CVE-2016-10737

Found a bug? Tell us!!
Post Reply
hsalo
Posts: 1
Joined: Mon Jan 21, 2019 11:13 am

CVE-2016-10737

Post by hsalo »

Hello,

Vulnerability CVE-2016-10737 is described as:

Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.

with https://www.exploit-db.com/exploits/40650 as reference.

In what release is this vulnerability fixed?
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli »

https://github.com/s9y/Serendipity/releases/tag/2.1.3 might reference that with "Prevent XSS in the "Edit entries" panel".
cervoise
Posts: 2
Joined: Wed May 20, 2020 1:55 pm

Re: CVE-2016-10737

Post by cervoise »

Hi,

I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli »

In the entries list or in the entry itself?
cervoise
Posts: 2
Joined: Wed May 20, 2020 1:55 pm

Re: CVE-2016-10737

Post by cervoise »

I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?
onli
Regular
Posts: 2825
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: CVE-2016-10737

Post by onli »

Yes. An editor can put HTML and Javascript in the entry by default, so that's by design. There is a plugin for that if you don't trust your editors, that's serendipity_event_xsstrust, it's in spartacus.
Post Reply