Page 1 of 1
CVE-2016-10737
Posted: Mon Jan 21, 2019 11:33 am
by hsalo
Hello,
Vulnerability CVE-2016-10737 is described as:
Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.
with
https://www.exploit-db.com/exploits/40650 as reference.
In what release is this vulnerability fixed?
Re: CVE-2016-10737
Posted: Wed Jan 23, 2019 5:48 pm
by onli
https://github.com/s9y/Serendipity/releases/tag/2.1.3 might reference that with "Prevent XSS in the "Edit entries" panel".
Re: CVE-2016-10737
Posted: Wed May 20, 2020 2:01 pm
by cervoise
Hi,
I've tryed on a fresh install of v.2.3.5 and an user with only Editor privileges can still inject JavaScript in a post using the serendipity[body] argument. Is there any configuration to set on the administration pannel or is the XSS back?
Re: CVE-2016-10737
Posted: Wed May 20, 2020 2:38 pm
by onli
In the entries list or in the entry itself?
Re: CVE-2016-10737
Posted: Fri May 22, 2020 1:16 pm
by cervoise
I misunderstood the protection. An account with editor privileges can put JavaScript in an entry, but the JavaScript will not be executed on the "entry list. Am I right?
Re: CVE-2016-10737
Posted: Fri May 22, 2020 3:27 pm
by onli
Yes. An editor can put HTML and Javascript in the entry by default, so that's by design. There is a plugin for that if you don't trust your editors, that's serendipity_event_xsstrust, it's in spartacus.