CVE-2023-53939 – TinyWebGallery v2.5 contains a stored cross-sit... (How to Fix)

Q: What is the severity of CVE-2023-53939?

CVE-2023-53939 has a CVSS score of 5.4 (MEDIUM). TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability where authenticated attackers can inject malicious JavaScript through folder names. This allows execution of arbitrary scripts when other users view affected gallery pages, potentially compromising their sessions or stealing credentials. Only authenticated users can exploit this vulnerability.

📋 TL;DR

TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability where authenticated attackers can inject malicious JavaScript through folder names. This allows execution of arbitrary scripts when other users view affected gallery pages, potentially compromising their sessions or stealing credentials. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

TinyWebGallery

Versions: Version 2.5

Operating Systems: All operating systems running TinyWebGallery

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability requires authenticated access to exploit. Any installation of TinyWebGallery v2.5 with default configuration is vulnerable.

📦 What is this software?

Tinywebgallery by Tinywebgallery

View all CVEs affecting Tinywebgallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, take over administrative accounts, deface galleries, or redirect users to malicious sites, potentially leading to complete system compromise if admin accounts are hijacked.

🟠

Likely Case

Attackers with authenticated access could inject malicious scripts to steal session cookies from other users, potentially gaining unauthorized access to their accounts within the gallery system.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code, preventing any exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. The vulnerability is simple to exploit by editing folder names with script tags. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: http://www.tinywebgallery.com/

Restart Required: No

Instructions:

No official patch is available. Consider upgrading to a newer version if available, or implement input validation and output encoding in the source code.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize folder name inputs by removing or encoding HTML/JavaScript tags

Edit the PHP file handling folder name input to add: htmlspecialchars($folder_name, ENT_QUOTES, 'UTF-8')

Restrict Folder Name Characters

all

Limit folder names to alphanumeric characters and basic symbols only

Add regex validation: preg_match('/^[a-zA-Z0-9\s\-_\.]+$/', $folder_name)

🧯 If You Can't Patch

Restrict authenticated user permissions to prevent folder name editing
Implement web application firewall rules to block script tags in folder name parameters

🔍 How to Verify

Check if Vulnerable:

Check if you can create or edit a folder name containing <script>alert('XSS')</script> and see if it executes when viewing the gallery

Check Version:

Check the version.txt file in the TinyWebGallery installation directory or view the admin panel

Verify Fix Applied:

Test if script tags in folder names are properly encoded and displayed as text rather than executed

📡 Detection & Monitoring

Log Indicators:

Unusual folder name edits containing script tags
Multiple failed login attempts followed by folder name changes

Network Indicators:

HTTP POST requests to folder editing endpoints with script content in parameters

SIEM Query:

source="web_logs" AND (uri_path="/admin/folder_edit" OR uri_path="/folder/update") AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2023-53939

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 18, 2025

Last Updated: December 24, 2025

🔗 References

http://www.tinywebgallery.com/ Product
https://www.exploit-db.com/exploits/51442 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/tinywebgallery-stored-cross-site-scripting-via-folder-name-parameter Third Party Advisory
https://www.exploit-db.com/exploits/51442 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53939, you might also want to check these: