PT-2019-12531 · Serendipity · Serendipity

Hanno Böck

Published

2019-05-09

Updated

2019-05-10

CVE-2019-11870

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Serendipity versions prior to 2.1.5

Description The issue arises from mishandled EXIF data in the Editor Preview feature of the templates/2k11/admin/media choose.tpl or the Media Library feature of the templates/2k11/admin/media items.tpl, leading to a cross-site scripting (XSS) vulnerability.

Recommendations For versions prior to 2.1.5, update to version 2.1.5 or later to resolve the issue. As a temporary workaround, consider disabling the Editor Preview feature in the templates/2k11/admin/media choose.tpl and restricting access to the Media Library feature in the templates/2k11/admin/media items.tpl until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-11870

Affected Products

Serendipity

PT-2019-12531 · Serendipity · Serendipity

CVE-2019-11870

Weakness Enumeration

Related Identifiers

Affected Products

References · 6