Piwigo 12.3.0 — Stored XSS Vulnerability at Photo Author

Vulnerability Explanation:

Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Author input.

Affected Component:

admin.php?page=photos-4

Payload:

<image src/onerror=console.log("test_xss_at_Author")>

Tested on:

  1. Piwigo Version 12.3.0
  2. Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)

Steps to attack:

1. First, we log in with an admin credential to the target application.

2. We click on Admin.

3. We click Photos > Add

4. We select test xss album.

5. We click on Add Photos button.

6. We click on the Start Upload button.

7. We click on the photo we uploaded.

8. We use payload as the Photo Author.

<image src/onerror=console.log("test_xss_at_Author")>

9. We click on the Save Settings button.

10. We click on the eye button as seen in the picture below.

11. We press F12 to open develop tools and We found in the console tab The XSS payload will be executed.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store