SECURITY UPDATE: Serendipity 1.7.8 Update

Last modified: April 3, 2020
You are here:
Estimated reading time: 1 min


The Serendipity vulnerability was found by High-Tech Bridge SA Security Research Lab. Which can be used to perform SQL injection attacks.

1) SQL injection in Serendipity

First, 1.1 Input passed to comment.php via the “url” GET parameter is not sanitized properly before it is used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The following PoC (Proof of Concept) demonstrates the vulnerability:



Then, successful exploitation of this vulnerability needs that “magic_quotes_gpc” to be off.

Upgrade to Serendipity 1.7.8


More Information:

Serendipity 1.6.2 released

GitHub of Serendipity


Vulnerability Description:
>>  The Serendipity back end is prone to a Cross-Site Scripting and SQL-Injection vulnerability.

>>  Upgrade to version 1.7.8. To upgrade these scripts go to your Control Panel -> Softaculous -> Installations.

You can then update the scripts. Credits:

>>  Vulnerabilities found and advisory written by Stefan Schurtz (KORAMIS Security Team).


Was this article helpful?
Dislike 0
Views: 73