CVE-2016-10082

Name of the Vulnerable Software and Affected Versions Serendipity versions prior to 2.1

Description The issue arises from a failure to sanitize the dbType POST parameter in the include/functions installer.inc.php file, which is then used in an include() call in the bundled-libs/serendipity generateFTPChecksums.php file. This can lead to a File Inclusion and possible Code Execution attack during the first-time installation of Serendipity.

Recommendations For Serendipity versions prior to 2.1, update to version 2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the include/functions installer.inc.php file and the bundled-libs/serendipity generateFTPChecksums.php file to minimize the risk of exploitation. Avoid using the dbType parameter in the affected installation process until the issue is resolved.