| Vendor |
|
| Product | Piwigo |
| Affected Version(s) | 2.9.0 probably prior |
| Tested Version(s) | 2.9.0 |
| Vulnerability Discovery | May 29, 2017 |
| Vendor Notification | May 29, 2017 |
| Advisory Publication | June 2, 2017 [without technical details] |
| Vendor Acknowledgment | N/A |
| Vendor Fix | N/A |
| Public Disclosure | N/A |
| Latest Modification | June 2, 2017 |
| CVE Identifier(s) | Pending |
| Product Description | Piwigo is a full featured open source photo gallery for the web, built and supported by an active community of users and developers, make it easy and faster to deploy a photo gallery In just seconds. |
| Credits | Eric Castañeda, Security Researcher & Penetration Tester @wizlynx group |
| Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities | |||
| Severity: Low | CVSS Score: 3.4 | CWE-ID: CWE-79 | Status: Not Fixed |
| Vulnerability Description | |||
| The application Piwigo is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 2.9.0 and possible priors. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | None |
| Privileges Required | High | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.