Serendipity failed to correctly sanitize user input on the
media manager administration page. The content of GET variables
were written into JavaScript strings. By using standard string
evasion techniques it was possible to execute arbitrary
JavaScript.
Additionally Serendipity dynamically created a HTML form on
the media manager administration page that contained all
variables found in the URL as hidden fields. While the variable
values were correctly escaped it was possible to break out
by specifying strange variable names.