Enter your username and password; the account must have admin privileges. Select some post at the main website.

Enter your username and password; the account must have admin privileges. Select Content > add content > Post

Enter your username and password; the account must have admin privileges. Select Content > add content > Page

Enter your username and password; the account must have admin privileges. Select Content > add content > Card

Vulnerability Explanation: Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Description input. Affected Component: http://[IP]/admin.php?page=photos-5 Payload: <image src/onerror=console.log("test_xss_at_Description")> Tested on: Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit) Steps to attack:

Vulnerability Explanation: Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Author input. Affected Component: http://[IP]/admin.php?page=photos-4 Payload: <image src/onerror=console.log("test_xss_at_Author")> Tested on: Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit) Steps to attack:

Vulnerability Explanation: Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Title input. Affected Component: http://[IP]/admin.php?page=photos-3 Payload: <image src/onerror=console.log("test_xss_at_Photo_Title")> Tested on: Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit) Steps to attack:

Vulnerability Explanation: Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via tag input. Affected Component: http://[IP]/admin.php?page=tags Payload: <image src/onerror=console.log("test_xss_at_Tags")> Tested on: Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit) Steps to attack: 1. First, we log in with an admin credential to the target application.

Vulnerability Explanation: Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Gallery title input. Affected Component: http://[IP]/admin.php?page=configuration Payload: <image src/onerror=console.log("test_xss_at_Gallery_title")> Tested on: Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit) Steps to attack: