CVE-2017-16635

Name of the Vulnerable Software and Affected Versions TinyWebGallery version 2.4

Description The issue allows remote attackers with low-privilege user accounts for backend access to inject malicious script codes into the TWG Explorer item listing. This is achieved by exploiting the mkname, mkitem, and item parameters of the Add/Create module. The request method to inject is POST, and the attack vector is located on the application-side of the service. The injection point is the add/create input field, and the execution point occurs in the item listing after the add or create.

Recommendations For TinyWebGallery version 2.4, consider restricting access to the Add/Create module to prevent exploitation, and avoid using the mkname, mkitem, and item parameters until a fix is available. As a temporary workaround, consider validating and sanitizing user input in the add/create input field to minimize the risk of malicious script code injection.