CVE-2024-26450

Name of the Vulnerable Software and Affected Versions Piwigo versions prior to 14.2.0

Description An issue exists within Piwigo allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. The vulnerability can also be used by a remote attacker to escalate privileges via the batch function on the admin page.

Recommendations For versions prior to 14.2.0, update to version 14.2.0 or later to resolve the issue. As a temporary workaround, consider disabling the batch function on the admin page and restricting access to the admin dashboard to minimize the risk of exploitation. Avoid using the application's admin features until the issue is resolved.