CVE-2023-44393

Exploit

EPSS 4.7%
Veröffentlicht 09.10.2023 15:15:10
Zuletzt bearbeitet 21.11.2024 08:25:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Piwigo ≫ Piwigo Version <= 13.8.0

Piwigo ≫ Piwigo Version14.0.0 Updatebeta1

Piwigo ≫ Piwigo Version14.0.0 Updatebeta2

Piwigo ≫ Piwigo Version14.0.0 Updatebeta3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.7%	0.889

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	9.3	2.8	5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23

Patch

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-44393

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-44393

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-44393

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-44393