Security Research & Advisories

Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities in Piwigo

Product Piwigo
Affected Version(s) 2.9.0 probably prior
Tested Version(s) 2.9.0
Vulnerability Discovery May 29, 2017
Vendor Notification May 29, 2017
Advisory Publication June 2, 2017 [without technical details]
Vendor Acknowledgment N/A
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 2, 2017
CVE Identifier(s) Pending
Product Description Piwigo is a full featured open source photo gallery for the web, built and supported by an active community of users and developers, make it easy and faster to deploy a photo gallery In just seconds.
Credits Eric Castañeda, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities
Severity: Low CVSS Score: 3.4 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application Piwigo is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 2.9.0 and possible priors. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact None
Privileges Required High Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.