Xinha Dynamic Configuration Arbitrary File Upload Vulnerability

BID:40033

Info

Xinha Dynamic Configuration Arbitrary File Upload Vulnerability

Bugtraq ID: 40033
Class: Design Error
CVE: CVE-2010-1916
Remote: Yes
Local: No
Published: May 10 2010 12:00AM
Updated: Apr 13 2015 09:17PM
Credit: Stefan Esser
Vulnerable: Xinha Xinha 0.96 beta2
+ S9Y Serendipity 1.5.3
+ S9Y Serendipity 1.5.2
+ S9Y Serendipity 1.4
Xinha Xinha 0.95
+ S9Y Serendipity 1.5.3
+ S9Y Serendipity 1.5.2
+ S9Y Serendipity 1.4
Not Vulnerable:

Discussion

Xinha Dynamic Configuration Arbitrary File Upload Vulnerability

Xinha is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to properly restrict configuration changes.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Xinha 0.96 beta2 is vulnerable; other versions may also be affected. In addition, versions prior to Serendipity 1.5.3 utilize vulnerable versions of Xinha and are therefore also vulnerable.

Exploit / POC

Xinha Dynamic Configuration Arbitrary File Upload Vulnerability

Attackers can exploit this issue via a browser.

Solution / Fix

Xinha Dynamic Configuration Arbitrary File Upload Vulnerability

Solution:
Updates are available. Please see the references for more information.


Xinha Xinha 0.96 beta2

Xinha Xinha 0.95

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report