The ability to embedded some javascript in the album name or description is not new. We don't consider it as a vulnerability to fix.
In this way admin can easily takeover webmaster's access using this technique.
This is where I would like some details. Did you try this technique? Does it work? (on a Piwigo I mean). Stealing the session id in the cookie of a webmaster is not enough to steal its session... but if you have proof of concept, I'm highly interested.
Hi, I found Stored XSS in Piwigo version 12.2.0 (Not tested older versions).
Proof Of Concept:
Can use any malicious JS code, Now you can see XSS will pop-up.
Impact:
In this way admin can easily takeover webmaster's access using this technique.
Burp:
Please fix the vulnerability & let me know :).
Thank You!
The text was updated successfully, but these errors were encountered: