Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)

vendor:

Piwigo

by:

Okan Kurtulus

5.5

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Piwigo

Affected Version From: 13.7.2000

Affected Version To: 13.7.2000

Patch Exists: NO

Related CWE:

CPE: piwigo

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2023

Piwigo v13.7.0 – Stored Cross-Site Scripting (XSS) (Authenticated)

The Piwigo version 13.7.0 is vulnerable to a stored cross-site scripting (XSS) attack. An authenticated user with the privilege to upload photos can inject malicious code into the 'Description' field of the photo editing screen. When the photo is viewed on the homepage, the XSS payload is executed.

Mitigation:

To mitigate this vulnerability, it is recommended to validate and sanitize user input before displaying it on web pages. The Piwigo development team should release a patch addressing this issue.

Source

Exploit-DB raw data:

#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 25 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://piwigo.org
#Version: 13.7.0
#Tested on: Ubuntu 22.04
#CVE : N/A

# Proof of Concept:
1– Install the system through the website and log in with any user authorized to upload photos.
2–  Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.
3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.

#Payload
<sCriPt>alert(1);</sCriPt>