PT-2017-15031 · Piwigo · Piwigo

Published

2017-12-21

Updated

2018-01-03

CVE-2017-17826

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Piwigo version 2.9.2

Description The issue affects the Configuration component, where a Persistent Cross Site Scripting vulnerability exists via the gallery title parameter in an "admin.php?page=configuration&section=main" request. This can be exploited by an attacker to hijack a client's browser and access the data stored in it.

Recommendations For Piwigo version 2.9.2, avoid using the gallery title parameter in the affected admin.php request until the issue is resolved. As a temporary workaround, consider restricting access to the Configuration component to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-17826

Affected Products

Piwigo

PT-2017-15031 · Piwigo · Piwigo

CVE-2017-17826

Weakness Enumeration

Related Identifiers

Affected Products

References · 4