Cross-site scripting in Piwigo - CVE-2016-10083
Published: January 3, 2017
Vulnerability identifier: #VU3120
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-10083
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Piwigo.org
Affected software:
Piwigo
Piwigo
Detailed vulnerability description
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to /admin/plugin.php script. A remote attacker can create a specially crafted web link, trick the website administrator into visiting it and execute arbitrary HTML and script code in victim’s browser in context of vulnerable website.
Successful exploitation of the vulnerability may allow an attacker to perform phishing or drive-by-download attacks, as well as steal cookies and manipulate web page content.
How to mitigate CVE-2016-10083
Update to version 2.8.5.