CVE-2017-5476 S9y CVE debrief

Who should care

Serendipity site administrators, maintainers, and anyone who can approve or perform plugin installations on affected deployments (through 2.0.5).

Technical summary

NVD classifies the issue as CWE-352 (CSRF) and rates it CVSS 3.0 8.8 HIGH with network attack vector, low attack complexity, no privileges required, and user interaction required. The vulnerable scope is Serendipity versions up to and including 2.0.5. The attack can cause unauthorized plugin installation actions if an authenticated user is induced to submit a malicious request.

Defensive priority

High. This is a remote, low-complexity CSRF issue affecting administrative functionality. Prioritize if your Serendipity deployment allows plugin installation and if privileged users browse untrusted content while authenticated.

Recommended defensive actions

• Upgrade or otherwise remediate affected Serendipity installations beyond the vulnerable range.
• Restrict who can install plugins and review whether plugin installation should be available to all administrative users.
• Harden session and request-handling controls to reduce CSRF exposure, including verifying anti-CSRF protections on plugin-management actions.
• Monitor for unexpected plugin installation activity and review recently installed event or sidebar plugins on affected systems.
• Use the official CVE and NVD records to confirm the affected version range and any vendor-issued guidance.

Evidence notes

The CVE record and NVD entry describe Serendipity through 2.0.5 as vulnerable to CSRF for installing an event plugin or sidebar plugin. NVD lists CWE-352 and CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a remotely triggered flaw that requires user interaction. Supporting references include the NVD/CVE record, a SecurityFocus advisory entry, and the linked Serendipity issue tracker item.

Official resources