You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The ability to embedded some javascript in the album name or description is not new. We don't consider it as a vulnerability to fix.
In this way admin can easily takeover webmaster's access using this technique.
This is where I would like some details. Did you try this technique? Does it work? (on a Piwigo I mean). Stealing the session id in the cookie of a webmaster is not enough to steal its session... but if you have proof of concept, I'm highly interested.
Hi, I found Stored XSS in Piwigo version 12.2.0 (Not tested older versions).
Proof Of Concept:
Can use any malicious JS code, Now you can see XSS will pop-up.
Impact:
In this way admin can easily takeover webmaster's access using this technique.
Burp:
Please fix the vulnerability & let me know :).
Thank You!
The text was updated successfully, but these errors were encountered: