Описание
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener.
Ссылки
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 14.2.0 (исключая)
cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*
EPSS
Процентиль: 63%
0.00455
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
debian
почти 2 года назад
An issue exists within Piwigo before v.14.2.0 allowing a malicious use ...
CVSS3: 5.4
github
почти 2 года назад
Cross Site Scripting vulnerability in Piwigo before v.14.2.0 allows a remote attacker to escalate privileges via the batch function on the admin page.
EPSS
Процентиль: 63%
0.00455
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79