SB2024021243 - Multiple vulnerabilities in Piwigo

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site request forgery (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to a cross-site request forgery vulnerability and stored cross-site scripting in the administrator dashboard when handling crafted requests that store malicious script content. A remote user can submit a crafted request to inject a stored script payload and upload a PHP file to execute arbitrary code.

Exploitation requires chaining the cross-site request forgery issue with the stored cross-site scripting issue, and the malicious script executes in an administrator user's dashboard.

2) Cross-site scripting (CVE-ID: CVE-2024-28662)

The vulnerability allows a remote user to execute arbitrary code on the underlying server infrastructure.

The vulnerability exists due to cross-site scripting and cross-site request forgery in the administrative interface when an administrator executes remote JavaScript. A remote user can cause an administrator to execute crafted JavaScript to upload remote code and execute arbitrary code on the underlying server infrastructure.

User interaction by an administrator is required.

Remediation

Install update from vendor's website.

References

• https://github.com/Piwigo/Piwigo/security/advisories/GHSA-p362-cfpj-q55f
• https://github.com/Piwigo/Piwigo/security/advisories/GHSA-8g2g-6f2c-6h7j