Quote from www.s9y.org:
"Serendipity is a PHP-powered weblog application which gives the user an
easy way to maintain an online diary, weblog or even a complete
homepage. While the default package is designed for the casual blogger,
Serendipity offers a flexible, expandable and easy-to-use framework with
the power for professional applications.
Casual users appreciate the way Serendipity's sophisticated plugin
architecture allows you to easily modify both the appearance of your
blog and its features.
You can install more than 120 plugins with just one click, instantly
enhancing your blog's functionality."
While testing Serendipity an XSS flaw was discovered in the optional
plugin for tagging entries called "Freetag". For example, this could
lead to a hijacked Serendipity account.
The Freetag-plugin displays the tag name, specified in a URL, back to
Due to a defective sanitization of the user's input, it is possible to
inject arbitrary code which will be reflected on the website.
05. February 2008 - Flaw was discovered and re-checked.
06. February 2008 - Programmers have been notified. (Due to responsible
06. February 2008 - Fix was committed.
07. February 2008 - Freetag 2.96 released to the public.
08. February 2008 - Public disclosure.