CVE-2026-39963

MEDIUM

2026-04-14 https://github.com/s9y/Serendipity

GHSA-4m6c-649p-f6gf

Privilege Escalation PHP

6.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 15, 2026 - 01:12 vuln.today

DescriptionNVD

Summary

The serendipity_setCookie() function uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker can force authentication cookies - including session tokens and auto-login tokens - to be scoped to an attacker-controlled domain, facilitating session hijacking.

Details

In include/functions_config.inc.php:726:

php

function serendipity_setCookie($name, $value, $securebyprot = true, ...) {
    $host = $_SERVER['HTTP_HOST']; // ← attacker-controlled, no validation

    if ($securebyprot) {
        if ($pos = strpos($host, ":")) {
            $host = substr($host, 0, $pos); // strips port only
        }
    }

    setcookie("serendipity[$name]", $value, [
        'domain'   => $host,   // ← poisoned domain
        'httponly' => $httpOnly,
        'samesite' => 'Strict'
    ]);
}

This function is called during login with sensitive cookies:

php

// functions_config.inc.php:455-498
serendipity_setCookie('author_autologintoken', $rnd, true, false, true);
serendipity_setCookie('author_username', $user);
serendipity_setCookie('author_token', $hash);

If an attacker can influence the Host header at login time (e.g. via MITM, reverse proxy misconfiguration, or load balancer), authentication cookies are issued scoped to the attacker's domain instead of the legitimate one.

PoC

bash

curl -v -X POST \
  -H "Host: attacker.com" \
  -d "serendipity[user]=admin&serendipity[pass]=admin" \
  http://[TARGET]/serendipity_admin.php 2>&1 | grep -i "set-cookie"

Expected output:

http

Set-Cookie: serendipity[author_token]=; domain=attacker.com; HttpOnly

Impact

Session fixation - attacker pre-sets a cookie scoped to their domain, then tricks the victim into authenticating, inheriting the poisoned token
Token leakage - author_autologintoken scoped to wrong domain may be sent to attacker-controlled infrastructure
Privilege escalation - if admin logs in under a poisoned Host header, their admin token is compromised

Suggested Fix

Validate HTTP_HOST against the configured $serendipity['url'] before use:

php

function serendipity_setCookie($name, $value, ...) {
    global $serendipity;
    $configured = parse_url($serendipity['url'], PHP_URL_HOST);
    $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
    $host = ($host === $configured) ? $host : $configured;

    setcookie("serendipity[$name]", $value, [
        'domain' => $host,
        ...
    ]);
}

AnalysisAI

Serendipity's serendipity_setCookie() function accepts unsanitized HTTP_HOST header values as the cookie domain parameter, allowing remote attackers to scope authentication cookies (session tokens, auto-login tokens) to attacker-controlled domains and facilitate session hijacking. The vulnerability requires user interaction (victim authentication during poisoned Host header) and man-in-the-middle or reverse proxy misconfiguration to exploit, affecting all versions of Serendipity that use the vulnerable function. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39963 vulnerability details – vuln.today

Back