Page 1 of 1

CVE-2016-10737

Posted: Mon Jan 21, 2019 11:33 am
by hsalo
Hello,

Vulnerability CVE-2016-10737 is described as:

Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.

with https://www.exploit-db.com/exploits/40650 as reference.

In what release is this vulnerability fixed?

Re: CVE-2016-10737

Posted: Wed Jan 23, 2019 5:48 pm
by onli
https://github.com/s9y/Serendipity/releases/tag/2.1.3 might reference that with "Prevent XSS in the "Edit entries" panel".

Re: CVE-2016-10737

Posted: Wed May 20, 2020 2:01 pm
by cervoise
Hi,

I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?

Re: CVE-2016-10737

Posted: Wed May 20, 2020 2:38 pm
by onli
In the entries list or in the entry itself?

Re: CVE-2016-10737

Posted: Fri May 22, 2020 1:16 pm
by cervoise
I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?

Re: CVE-2016-10737

Posted: Fri May 22, 2020 3:27 pm
by onli
Yes. An editor can put HTML and Javascript in the entry by default, so that's by design. There is a plugin for that if you don't trust your editors, that's serendipity_event_xsstrust, it's in spartacus.