漏洞类别:CGI
漏洞等级: 
漏洞信息
Serendipity is a PHP-powered weblog application which gives the user a way to maintain an online diary, weblog or a complete homepage.
Serendipity contains the following vulnerabilities:
CVE-2016-10082: The include/functions_installer.inc.php source file is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.
CVE-2016-9681: Multiple cross-site scripting vulnerabilities in the creation of new category page and in the creation of base directory page.
Affected Versions:
Serendipity versions prior to 2.0.5
漏洞危害
Depending on the vulnerability being exploited, a remote attacker could execute arbitrary code by including malicious files or conduct cross-site scripting attacks against a targeted user.
解决方案
Customers are advised to install Serendipity 2.0.5 or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论