Headline
CVE-2023-33359: There is a CSRF vulnerability in the "add tags" function of piwigo · Issue #1908 · Piwigo/Piwigo
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the “add tags” function.
This vulnerability lies in the ‘add tags’ function in the backend.
Try creating a new label here.
Use burpsuite to intercept this request.
You can see that CSRF-Token does not exist here,So we can generate a CSRF POC.
Execute this poc,note that there are no tags here at this time
After executing the POC, it was found that there were new tags added
//CSRF POC:
`
<script> history.pushState('’, '’, ‘/’); document.forms[0].submit(); </script> `
Of course, only one CSRF vulnerability is not serious. Next, I will demonstrate the possibility of combining it with XSS vulnerabilities for exploitation