CVE-2024-48928

Name of the Vulnerable Software and Affected Versions Piwigo versions 14.x

Description Piwigo is a photo gallery application for the web. In versions on the 14.x branch, the secret key configuration parameter is set to MD5(RAND()) during installation when using MySQL. The RAND() function has limited randomness (30 bits), allowing the secret key to be brute-forced in approximately one hour. The CSRF token is partially constructed from the secret key, enabling verification of a successful brute-force attempt. The auto login key utilizes the user's password in addition to the secret key, and the pwg token incorporates the user's session identifier along with the secret key. Knowing the secret key allows the generation of values for get ephemeral key.

Recommendations Update to version 15.0.0 or later.