Info

Disclosure

Sep 27, 2012

Discovery

Unknown

Dates

Exploit

Sep 27, 2012

Solution

Unknown

Description

Piwigo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'username_or_email' parameter upon submission to the password.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Vendor Verified, Third-party Verified
OSVDB: Web Related

Solution

OSVDB is not aware of a solution for this vulnerability. Secunia has reported that the vendor issued a fix in 2.4.4, but it was ineffective.

Products

Piwigo project	Piwigo	2.4.3
		2.4.4

References

CVE ID: 2012-4525 (see also: NVD) 2012-4526 (see also: NVD) 2012-6126 (see also: NVD)
Secunia Advisory ID: 50510
Vendor Specific News/Changelog Entry: http://freecode.com/projects/piwigo/releases/348491
http://piwigo.org/releases/2.4.4
Mail List Post: http://seclists.org/oss-sec/2012/q4/98
http://seclists.org/oss-sec/2013/q1/275
http://seclists.org/oss-sec/2013/q1/277

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/85817

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Piwigo project

Piwigo

References

Credit