The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| s9y | serendipity | 0.4 |
| s9y | serendipity | 1.0 |
| s9y | serendipity | 1.0.1 |
| s9y | serendipity | 0.6 |
| s9y | serendipity | 0.8.1 |
| s9y | serendipity | 0.8.4 |
| xinha | wysiwyg_editor | 0.94 |
| s9y | serendipity | 0.9.1 |
| s9y | serendipity | 1.2.1 |
| s9y | serendipity | 0.3 |
| s9y | serendipity | 0.9 |
| xinha | wysiwyg_editor | 0.93 |
| s9y | serendipity | 1.1.2 |
| s9y | serendipity | 0.8 |
| s9y | serendipity | 1.0.2 |
| xinha | wysiwyg_editor | 0.91 |
| xinha | wysiwyg_editor | 0.96 |
| s9y | serendipity | 1.3 |
| s9y | serendipity | 1.5.1 |
| xinha | wysiwyg_editor | 0.9 |
| s9y | serendipity | 1.2 |
| s9y | serendipity | 1.5 |
| s9y | serendipity | 0.7.1 |
| s9y | serendipity | 1.1.3 |
| s9y | serendipity | 1.5.2 |
| s9y | serendipity | 0.8.2 |
| s9y | serendipity | 1.0.3 |
| s9y | serendipity | 1.3.1 |
| s9y | serendipity | 0.8.5 |
| s9y | serendipity | 0.5 |
| xinha | wysiwyg_editor | 0.92 |
| s9y | serendipity | 1.4.1 |
| s9y | serendipity | 0.7 |
| s9y | serendipity | 1.1.1 |
| s9y | serendipity | 1.0.4 |
| xinha | wysiwyg_editor | 0.95 |
| s9y | serendipity | 0.8.3 |
| s9y | serendipity | 1.4 |
| s9y | serendipity | 1.1 |
| s9y | serendipity | 1.1.4 |
Directory traversal vulnerability in plugins/ImageManager/backend.php in Xinha 0.96, as used in Jojo 4.4.0, allows remote attackers to delete any folder via directory traversal sequences in the deld parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| xinha | xinha | 0.96 |