http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1386
http://www.s9y.org/
The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely.
Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript.
If you are doing a fresh installation of serendipity, use version 1.3.1.
In general, don't leave uninstalled webapplications laying around on a public webspace.
2008-03-21 Vendor contacted with patches
2008-03-21 Vendor fixed issue in trunk/branch revision
2008-04-22 Vendor released 1.3.1
2008-04-22 Advisory published
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-1386 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting. It's licensed under the creative commons attribution license.
Hanno Boeck, 2008-04-xx, http://www.hboeck.de