Description
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Remediation
References
Related Vulnerabilities
Joomla Improper Input Validation Vulnerability (CVE-2020-35616)
Ruby Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1005)
Squid Operation on a Resource after Expiration or Release Vulnerability (CVE-2024-23638)
WordPress Plugin Advanced Custom Fields (ACF) Cross-Site Scripting (6.1.5)