Description

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.

Remediation

References

CVE-2018-7722

Related Vulnerabilities

WordPress Plugin The Official Facebook Chat Security Bypass (1.5)

PHP Improper Input Validation Vulnerability (CVE-2007-4784)

WordPress Plugin Hitasoft FLV Player 'id' Parameter SQL Injection (1.1)

WordPress Plugin Asgaros Forum Cross-Site Scripting (1.0.7)

WordPress Plugin Image Photo Gallery Final Tiles Grid Security Bypass (3.3.52)

Severity

Medium

Classification

CVE-2018-7722 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities