Advisory: Piwigo 2.4.3 Cross-Site Scripting vulnerability Advisory ID: SSCHADV2012-022 Author: Stefan Schurtz Affected Software: Successfully tested on Piwigo 2.4.3 Vendor URL: http://piwigo.org/ Vendor Status: fixed ========================== Vulnerability Description ========================== Piwigo 2.4.3 is prone to a Cross-Site Scripting vulnerability ========================== PoC-Exploit ========================== http://[target]/piwigo/password.php Username or E-Mail // POST-Parameter "> "> ========================== Solution ========================== Upgrade to the latest version ========================== Disclosure Timeline ========================== 07-Sep-2012 - informed Secunia via SVCRP 19-Oct-2012 - fixed by developer ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://piwigo.org/bugs/view.php?id=0002774 http://piwigo.org/bugs/view.php?id=2750 http://secunia.com/advisories/50510/ http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt