CVE-2023-44393

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 14.0.0beta4

Description A reflected cross-site scripting (XSS) issue is present in the /admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here] page. This issue allows an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The issue is caused by the insecure injection of the plugin id value from the URL into the HTML page. An attacker can exploit this issue by crafting a malicious URL that contains a specially crafted plugin id value. Only users who are logged in as administrators are affected, as the issue is only present on the /admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here] page, which is only accessible to administrators.

Recommendations For versions prior to 14.0.0beta4, update to version 14.0.0beta4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here] page to minimize the risk of exploitation. Avoid using the plugin id parameter in the affected API endpoint until the issue is resolved.