comment.php in Serendipity up to and including 2.0.5 allows CSRF in deleting any comments.
s9y serendipity