FreeBSD : Serendipity -- XSS Vulnerabilities (96ed277b-60e0-11db-ad2d-0016179b2dd5)

High Nessus Plugin ID 22910


The remote FreeBSD host is missing a security-related update.


The Serendipity Team reports :

Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript.

Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 22910

File Name: freebsd_pkg_96ed277b60e011dbad2d0016179b2dd5.nasl

Version: $Revision: 1.9 $

Type: local

Published: 2006/10/25

Modified: 2013/06/22

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:serendipity, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2006/10/21

Vulnerability Publication Date: 2006/10/19

Reference Information

Secunia: 22501