Description

The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.

Remediation

References

CVE-2018-7723

Related Vulnerabilities

WordPress Plugin WordPress Custom Global Variable Unspecified Vulnerability (3.0.0)

WordPress Plugin Easy Custom Auto Excerpt Cross-Site Scripting (2.4.6)

MySQL Cryptographic Issues Vulnerability (CVE-2003-1480)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-26279)

WordPress Plugin EME Sync Facebook Events Unspecified Vulnerability (1.0.38)

Severity

Medium

Classification

CVE-2018-7723 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities