As you can see a user-controlled input $_GET['section'] ($filename) is being sent to die() - printing out without no sanitization, this could result in cross-site scripting because die() prints out content just like echo() before exit.
Fix: do htmlentities($filename);
The text was updated successfully, but these errors were encountered:
should be. because attacker would only need to give the admin a malicious xss link, and when authorized admin visits it, check_status(ACCESS_ADMINISTRATOR); will return to true. so yes it is as dangerous.
In Piwigo/admin/plugin.php
As you can see a user-controlled input $_GET['section'] ($filename) is being sent to die() - printing out without no sanitization, this could result in cross-site scripting because die() prints out content just like echo() before exit.
Fix: do htmlentities($filename);
The text was updated successfully, but these errors were encountered: