![[CVE-2022–42097]Backdrop-XSS-at-Comments](https://miro.medium.com/fit/c/224/224/1*e0Jx0tigrWii-I1eJfzzYA.png)
![[CVE-2022–42097]Backdrop-XSS-at-Comments](https://miro.medium.com/fit/c/160/112/1*e0Jx0tigrWii-I1eJfzzYA.png)
Enter your username and password; the account must have admin privileges.
Select some post at the main website.
Enter your username and password; the account must have admin privileges.
Select Content > add content > Post
Enter your username and password; the account must have admin privileges.
Select Content > add content > Page
Enter your username and password; the account must have admin privileges.
Select Content > add content > Card
Vulnerability Explanation:
Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via tag input.
Affected Component:
http://[IP]/admin.php?page=tags
Payload:
<image src/onerror=console.log("test_xss_at_Tags")>Tested on:
- Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa
- Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)
Steps to attack:
1. First, we log in with an admin credential to the target application.
2. We click on Admin.
Vulnerability Explanation:
Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Gallery title input.
Affected Component:
http://[IP]/admin.php?page=configuration
Payload:
<image src/onerror=console.log("test_xss_at_Gallery_title")>Tested on:
- Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa
- Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)
Steps to attack:
1. First, we log in with an admin credential to the target application.
2. We click on Admin.
