Login Sign Up

CVE-2023-44393

9.3 CRITICAL
Cross-Site Scripting

📋 TL;DR

A reflected XSS vulnerability in Piwigo's admin interface allows attackers to inject malicious JavaScript via crafted URLs. Only authenticated administrators are affected when they visit malicious links containing payloads in the plugin_id parameter. This could lead to session hijacking or administrative account compromise.

💻 Affected Systems

Products:
  • Piwigo
Versions: All versions prior to 14.0.0beta4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with admin users. The vulnerable page is only accessible to authenticated administrators.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

Piwigo by Piwigo

View all CVEs affecting Piwigo →

Piwigo by Piwigo

View all CVEs affecting Piwigo →

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to full system compromise, data theft, or malware installation on the server.

🟠

Likely Case

Session hijacking allowing attacker to perform administrative actions, install malicious plugins, or modify gallery content.

🟢

If Mitigated

Limited impact if administrators follow security best practices and don't click suspicious links.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to get admin to click malicious link. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.0.0beta4 and later

Vendor Advisory: https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download Piwigo 14.0.0beta4 or later from official sources. 3. Replace all files with new version. 4. Run the upgrade script if prompted.

🔧 Temporary Workarounds

Input Sanitization

all

Manually sanitize plugin_id parameter in admin.php

Edit admin.php to add htmlspecialchars() or similar sanitization for plugin_id parameter

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Educate administrators to never click untrusted links while logged in

🔍 How to Verify

Check if Vulnerable:

Check if Piwigo version is below 14.0.0beta4 in admin dashboard or by examining version files.

Check Version:

Check include/constants.php for PIWIGO_VERSION or view admin dashboard version info.

Verify Fix Applied:

After upgrade, test that plugin_id parameter values are properly escaped in the admin plugins page.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin_id parameter values in admin.php access logs
  • Multiple failed plugin installation attempts

Network Indicators:

  • HTTP requests to admin.php with suspicious plugin_id parameters containing script tags

SIEM Query:

web.url:*admin.php* AND web.query:plugin_id=*<script*

📊 Metadata

CVE ID: CVE-2023-44393
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: October 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-44393, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)