Piwigo up to 14.0.0.beta3 cross site scripting

Summaryinfo

A vulnerability has been found in Piwigo up to 14.0.0.beta3 and classified as problematic. Impacted is an unknown function of the file /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here. Performing a manipulation results in cross site scripting. This vulnerability is reported as CVE-2023-44393. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic has been found in Piwigo up to 14.0.0.beta3 (Photo Gallery Software). This affects an unknown part of the file /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. This is going to have an impact on integrity. The summary by CVE is:

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.

The weakness was disclosed 10/09/2023 as GHSA-qg85-957m-7vgg. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2023-44393 since 09/28/2023. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

Upgrading to version 14.0.0.beta4 eliminates this vulnerability. Applying the patch cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Photo Gallery Software

Name

• Piwigo

Version

• 14.0.0.beta1
• 14.0.0.beta2
• 14.0.0.beta3

License

• open-source

Website

• Product: https://github.com/Piwigo/Piwigo/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion