Piwigo 12.3.0 — Stored XSS Vulnerability at Tags

Vulnerability Explanation:

Piwigo Version 12.3.0 has XSS vulnerabilities that allow attackers to store XSS via tag input.

Affected Component:

admin.php?page=tags

Payload:

<image src/onerror=console.log("test_xss_at_Tags")>

Tested on:

  1. Piwigo Version 12.3.0
  2. Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (64-bit)

Steps to attack:

1. First, we log in with an admin credential to the target application.

2. We click on Admin.

3. We click Photos > Tags

4. We click on Add a tag button.

5. We use payload as tag.

<image src/onerror=console.log("test_xss_at_Tags")>

6. We press enter.

7. We press F12 to open develop tools and We found in the console tab The XSS payload will be executed.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself