CVE-2012-2209

Piwigo < 2.3.3 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.

Exploits (1)

exploitdb WRITEUP

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/18782

View Code ZIP pw:eip

References (9)

[Various Sources] http://piwigo.org/bugs/view.php?id=2607

[Various Sources] http://piwigo.org/forum/viewtopic.php?id=19173

[Exploit] http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html

[Vendor Advisory] http://secunia.com/advisories/48903

[Exploit] http://www.exploit-db.com/exploits/18782

[Exploit] http://www.securityfocus.com/bid/53245

[Exploit] https://www.htbridge.com/advisory/HTB23085

[Release Notes] http://piwigo.org/releases/2.3.4

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/75186

Scores

EPSS 0.0387

EPSS Percentile 88.1%

Classification

CWE

CWE-79

Status published

Affected Products (2)

piwigo/piwigo < 2.3.3

n/a/n/a

Timeline

Published Aug 14, 2012

Tracked Since Feb 18, 2026