Piwigo 12.3.0 — Stored XSS Vulnerability at Gallery title

Vulnerability Explanation:

Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Gallery title input.

Affected Component:

admin.php?page=configuration

Payload:

<image src/onerror=console.log("test_xss_at_Gallery_title")>

Tested on:

  1. Piwigo Version 12.3.0
  2. Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)

Steps to attack:

1. First, we log in with an admin credential to the target application.

2. We click on Admin.

3. We click on Configuration > Options

4. We use payload as the Gallery title.

<image src/onerror=console.log("test_xss_at_Gallery_title")>

5. We click on the Save Settings button.

6. We press F12 to open develop tools and We found in the console tab The XSS payload will be executed.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself