Description

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.

Remediation

References

CVE-2018-7722

Related Vulnerabilities

WordPress Plugin YOP Poll Cross-Site Scripting (5.8.0)

PHP Use of Uninitialized Resource Vulnerability (CVE-2019-11038)

WordPress Plugin Anti-Splog Cross-Site Scripting (2.1.7)

WordPress Plugin Slider by 10Web-Responsive Image Slider Unspecified Vulnerability (1.1.9)

WordPress Plugin Accessibility Suite by Online ADA SQL Injection (2.0.10)

Severity

Medium

Classification

CVE-2018-7722 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities