Main Vulnerability Database Vulnerabilities #VU127935

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Piwigo - CVE-2023-44393

Published: October 6, 2023 / Updated: April 26, 2026

Vulnerability identifier: #VU127935

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-44393

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Piwigo

Software vendor:
Piwigo.org

Description

The vulnerability allows a remote attacker to execute arbitrary script code in an administrator's browser.

The vulnerability exists due to improper neutralization of script-related html tags in /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here] when handling a crafted plugin_id parameter in a request. A remote attacker can send a specially crafted URL to execute arbitrary script code in an administrator's browser.

User interaction is required, and the victim must be logged in as an administrator and visit the crafted URL.

Remediation

Install security update from vendor's website.

External links

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Piwigo - CVE-2023-44393

Description

Remediation

External links

Please verify you're human