Piwigo 12.3.0 — Stored XSS Vulnerability at Photo Author

Vulnerability Explanation:

Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Author input.

Affected Component:

http://[IP]/admin.php?page=photos-4

Payload:

<image src/onerror=console.log("test_xss_at_Author")>

Tested on:

1. Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa
2. Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)

Steps to attack:

1. First, we log in with an admin credential to the target application.

2. We click on Admin.

3. We click Photos > Add

4. We select test xss album.

5. We click on Add Photos button.

6. We click on the Start Upload button.

7. We click on the photo we uploaded.

8. We use payload as the Photo Author.

<image src/onerror=console.log("test_xss_at_Author")>

9. We click on the Save Settings button.

10. We click on the eye button as seen in the picture below.

11. We press F12 to open develop tools and We found in the console tab The XSS payload will be executed.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

https://piwigo.org/