Main Vulnerability Database Vulnerabilities #VU127939

Cross-site scripting in Piwigo - CVE-2024-28662

Published: March 1, 2024 / Updated: April 25, 2026

Vulnerability identifier: #VU127939

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-28662

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Piwigo

Software vendor:
Piwigo.org

Description

The vulnerability allows a remote user to execute arbitrary code on the underlying server infrastructure.

The vulnerability exists due to cross-site scripting and cross-site request forgery in the administrative interface when an administrator executes remote JavaScript. A remote user can cause an administrator to execute crafted JavaScript to upload remote code and execute arbitrary code on the underlying server infrastructure.

User interaction by an administrator is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/Piwigo/Piwigo/security/advisories/GHSA-8g2g-6f2c-6h7j

Cross-site scripting in Piwigo - CVE-2024-28662

Description

Remediation

External links

Please verify you're human