2 matches found
Design/Logic Flaw
The management panel in Piwigo 2.9.3 has stored XSS via the virtualname parameter in a /admin.php?page=catlist request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible...
CVE-2017-9836
CVE-2017-9836 affects Piwigo 2.9.1 with stored XSS via the virtual_name parameter in /admin.php (creating a virtual album). The issue requires an authenticated administrator to trigger the payload, allowing injection of arbitrary web script or HTML. The connected sources confirm the vulnerability...