CVE-2019-13363

Name of the Vulnerable Software and Affected Versions Piwigo version 2.9.5

Description The issue concerns a Cross-Site Scripting (XSS) exploit in the admin.php?page=notification by mail endpoint. This exploit is achievable through several parameters: nbm send html mail, nbm send mail as, nbm send detailed content, nbm complementary mail content, nbm send recent post dates, or param submit. The exploit is also viable through Cross-Site Request Forgery (CSRF).

Recommendations For Piwigo version 2.9.5, as a temporary workaround, consider restricting access to the admin.php?page=notification by mail endpoint to minimize the risk of exploitation. Avoid using the parameters nbm send html mail, nbm send mail as, nbm send detailed content, nbm complementary mail content, nbm send recent post dates, or param submit in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.