Peter Hã¼We

**Name of the Vulnerable Software and Affected Versions** Serendipity (S9Y) versions prior to 1.3-beta1 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the `Real name` field in Personal Settings, which is then presented to readers of articles, or through a file upload, such as uploading .htm, .html, or .js files. **Recommendations** For versions prior to 1.3-beta1, update to version 1.3-beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload feature and limiting the ability to modify the `Real name` field in Personal Settings to trusted users only. Avoid using the `Real name` field for any sensitive information until the issue is resolved.