PT-2017-19208 · Piwigo · Piwigo
Akityoo
·
Published
2017-06-24
·
Updated
2017-06-27
·
CVE-2017-9836
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Piwigo version 2.9.1
Description
A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML via the
virtual name parameter to "/admin.php" when creating a virtual album.Recommendations
For Piwigo version 2.9.1, avoid using the
virtual name parameter in the "/admin.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the virtual album creation feature to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Piwigo