Serendipity 2.0.1: Persistent XSSDate: 2015-09-01 10:42:40
|Affected Product:||Serendipity 2.0.1|
|Fixed Version Link:||https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip|
|Vulnerability Type:||Persistent XSS|
|Reported to vendor:||07/21/2015|
|Disclosed to public:||09/01/2015|
|Release mode:||Coordinated release|
|Credits||Tim Coen of Curesec GmbH|
2. Vulnerability Description
There is a persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click of the victim to trigger.
The problem exists because the theme reads out the name field of a comment using the jQuery .text() function, which decodes the previously properly encoded name. It then inserts the result back into the DOM.
3. Proof of Concept
- Add comment with name <img src="no" onerror="alert(1)">
- Click "reply" on that comment
To mitigate this issue please upgrade at least to version 2.0.2:
Please note that a newer version might already be available.
5. Report Timeline
|07/21/2015||Informed Vendor about Issue|
|07/24/2015||Vendor releases Version 2.0.2|
|09/01/2015||Disclosed to public|