VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2525

CVE-2004-2525

Description

Cross-site scripting (XSS) vulnerability in Serendipity before 0.7.1 allows remote attackers to inject arbitrary web script via the searchTerm parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in Serendipity before 0.7.1 allows remote attackers to inject arbitrary web script via the searchTerm parameter.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the compat.php script of Serendipity prior to version 0.7.1. The searchTerm variable is not properly sanitized before being echoed back to the user, allowing injection of arbitrary HTML and JavaScript. No special configuration is required for the code path to be reachable [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the searchTerm parameter with embedded script. The victim must click on the crafted link; no authentication or special network position is required. The injected script executes in the context of the vulnerable site [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, leading to potential session hijacking, defacement, or phishing attacks within the Serendipity application [1].

Mitigation

The issue is fixed in Serendipity version 0.7.1, released in 2004. Users should upgrade to at least 0.7.1 to eliminate the vulnerability. No workarounds are documented [1].

References
  1. About Secunia Research | Flexera

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.