These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2017-5476 affects Serendipity through version 2.0.5. The issue is a cross-site request forgery (CSRF) weakness that can be used to trigger installation of an event plugin or sidebar plugin. Because the action can be induced remotely through a crafted web request and relies on a victim’s authenticated session, it is most relevant to administrators and users with plugin-management access.
CVE-2017-5475 is a cross-site request forgery issue in Serendipity's comment.php. According to NVD, affected versions extend through 2.0.5, and the weakness is classified as CWE-352. The published NVD vector is CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which NVD rates as 8.8 HIGH. The issue is referenced by a SecurityFocus BID entry and a Serendipity GitHub issue tracker report.
CVE-2017-5474 is an open redirect vulnerability in Serendipity through 2.0.5, located in comment.php. An attacker can supply a URL in the HTTP Referer header and cause users to be redirected to an arbitrary website, which can be used for phishing. The issue was publicly disclosed on 2017-01-14 and is rated medium severity (CVSS 6.1).