Hello,
Vulnerability CVE-2016-10737 is described as:
Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.
with https://www.exploit-db.com/exploits/40650 as reference.
In what release is this vulnerability fixed?
CVE-2016-10737
Re: CVE-2016-10737
https://github.com/s9y/Serendipity/releases/tag/2.1.3 might reference that with "Prevent XSS in the "Edit entries" panel".
Re: CVE-2016-10737
Hi,
I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?
I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?
Re: CVE-2016-10737
In the entries list or in the entry itself?
Re: CVE-2016-10737
I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?
Re: CVE-2016-10737
Yes. An editor can put HTML and Javascript in the entry by default, so that's by design. There is a plugin for that if you don't trust your editors, that's serendipity_event_xsstrust, it's in spartacus.