CVE-2017-5475 S9y CVE debrief

Who should care

Administrators and moderators operating Serendipity sites through version 2.0.5 should care most, especially where comment management is available through comment.php or similar admin workflows.

Technical summary

NVD describes a CSRF flaw in Serendipity's comment.php that can be used to delete comments on affected installations through 2.0.5. The vulnerability maps to CWE-352, with a network-reachable attack path and user interaction required per the NVD CVSS vector. The supplied record links the issue to SecurityFocus BID 95656 and Serendipity issue #439.

Defensive priority

High. The issue is remotely reachable and can lead to unauthorized comment deletion, so affected Serendipity deployments should be reviewed and updated promptly.

Recommended defensive actions

• Confirm whether any Serendipity deployment is running version 2.0.5 or earlier and treat it as affected per the NVD range.
• Upgrade to a Serendipity release newer than the vulnerable range once a patched version is available.
• Review comment-moderation and admin workflows for CSRF protections, including request validation and anti-CSRF token enforcement.
• Limit access to comment management features to only required users and sessions.
• Monitor for unexpected comment deletions and review audit logs where available.

Evidence notes

The supplied NVD record states: product cpe:2.3:a:s9y:serendipity:* with vulnerability ending at version 2.0.5; weakness CWE-352; CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. References in the record include SecurityFocus BID 95656 and Serendipity GitHub issue #439. The CVE was published on 2017-01-14 and last modified on 2026-05-13 per the supplied timeline.

Official resources