Description
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Remediation
References
Related Vulnerabilities
WordPress Plugin Happy Addons for Elementor Cross-Site Scripting (2.23.0)
WordPress Plugin Restricted Site Access Security Bypass (7.3.1)
WordPress Plugin Newsletter Open Redirect (2.6.4.4)
Jolokia Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-0168)
Lighttpd Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-1270)