📄 Serendipity 1.6.2 Cross Site Scripting_PACKETSTORM:214743

Description

Multiple cross site scripting vulnerabilities exist in Serendipity version 1.6.2. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...

Visit Original Source

Basic Information

ID PACKETSTORM:214743

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions Serendipity 1.6.2 - Cross-site Scripting
Advisory ID: RO-13-002
Severity: Medium
Vendor: Serendipity
Product: Serendipity
Version: 1.6.2

Overview #

Multiple Cross-site Scripting (XSS) vulnerabilities exist in Serendipity version 1.6.2. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML.

Vulnerability Details #

Affected Versions: 1.6.2 and earlier

Root Cause: Insufficient input validation and output encoding in the admin image selector.
Technical Details #

Vulnerable URLs in serendipity_admin_image_selector.php:

/serendipity_admin_image_selector.php?serendipity[textarea]='%2Balert(0x000887)%2B'

/serendipity_admin_image_selector.php?serendipity[htmltarget]='%2Balert(0x000A02)%2B'

Exploitation Requirements #

No authentication required
Victim must click a crafted link

Impact #

Remote attackers can exploit these vulnerabilities to:

Steal user session cookies
Perform actions on behalf of users
Redirect users to malicious websites

Solution #

Update to a patched version of Serendipity.

References #

Invicti Advisory NS-13-003

Timeline:

[2013-02-26] - First Contact
[2013-03-04] - Sent Details
[2013-07-12] - Advisory Released

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:30:05",
    "description": "Multiple cross site scripting vulnerabilities exist in Serendipity version 1.6.2. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Serendipity 1.6.2 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214743",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Serendipity 1.6.2 - Cross-site Scripting\n    Advisory ID: RO-13-002\n    Severity: Medium\n    Vendor: Serendipity\n    Product: Serendipity\n    Version: 1.6.2\n    \n    \n    Overview #\n    \n    Multiple Cross-site Scripting (XSS) vulnerabilities exist in Serendipity version 1.6.2. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: 1.6.2 and earlier\n    \n    Root Cause: Insufficient input validation and output encoding in the admin image selector.\n    Technical Details #\n    \n    Vulnerable URLs in serendipity_admin_image_selector.php:\n    \n    /serendipity_admin_image_selector.php?serendipity[textarea]='%2Balert(0x000887)%2B'\n    \n    /serendipity_admin_image_selector.php?serendipity[htmltarget]='%2Balert(0x000A02)%2B'\n    \n    \n    \n    Exploitation Requirements #\n    \n        No authentication required\n        Victim must click a crafted link\n    \n    Impact #\n    \n    Remote attackers can exploit these vulnerabilities to:\n    \n        Steal user session cookies\n        Perform actions on behalf of users\n        Redirect users to malicious websites\n    \n    \n    \n    Solution #\n    \n    Update to a patched version of Serendipity.\n    \n    \n    References #\n    \n        Invicti Advisory NS-13-003\n    \n    Timeline:\n    \n        [2013-02-26] - First Contact\n        [2013-03-04] - Sent Details\n        [2013-07-12] - Advisory Released\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214743",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214743/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply