Piwigo 12.3.0 — Stored XSS Vulnerability at Photo Title

Vulnerability Explanation:

Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via Photo Title input.

Affected Component:

http://[IP]/admin.php?page=photos-3

Payload:

<image src/onerror=console.log("test_xss_at_Photo_Title")>

Tested on:

1. Piwigo Version 12.3.0 https://piwigo.org/get-piwigoa
2. Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)

Steps to attack:

1. First, we log in with an admin credential to the target application.

2. We click on Admin.

3. We click Photos > Add

4. We click on create a new album button.

5. We type test xss is Album name and click on Create button.

6. We click on Add Photos button.

7. We click on the Start Upload button.

8. We click on the photo we uploaded.

9. We use payload as the Photo Title.

<image src/onerror=console.log("test_xss_at_Photo_Title")>

10. We click on the Save Settings button.

11. We click on the eye button as seen in the picture below.

12. We press F12 to open develop tools and We found in the console tab The XSS payload will be executed.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

https://piwigo.org/