CVE-2014-9432

Name of the Vulnerable Software and Affected Versions Serendipity versions prior to 2.0-rc2

Description The issue allows remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY STRING to serendipity/index.php, potentially leading to cross-site scripting (XSS) attacks. This is due to multiple XSS vulnerabilities in the templates/2k11/admin/overview.inc.tpl file.

Recommendations For Serendipity versions prior to 2.0-rc2, update to version 2.0-rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to the serendipity/index.php file or disabling the affected template file until a patch is available. Avoid using the QUERY STRING parameter in the serendipity/index.php file until the issue is resolved.