Login Sign Up

CVE-2024-46333

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers with album creation permissions to inject malicious scripts into album names. When other users view these albums, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects all Piwigo installations running version 14.5.0 with authenticated users who can create albums.

💻 Affected Systems

Products:
  • Piwigo
Versions: 14.5.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with album creation permissions. Self-hosted Piwigo installations are affected.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full administrative access, deface the gallery, or install backdoors.

🟠

Likely Case

Attackers with regular user accounts could steal other users' session cookies, perform unauthorized actions, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as plain text.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access. Public proof-of-concept demonstrates payload injection via album name parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.5.1 or later

Vendor Advisory: https://piwigo.org/forum/viewtopic.php?pid=210000

Restart Required: No

Instructions:

1. Backup your Piwigo database and files. 2. Download Piwigo 14.5.1 or later from piwigo.org. 3. Replace all files except local/ and upload/ directories. 4. Clear browser cache and test functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom input validation to sanitize album names before processing.

Modify Piwigo source code to strip HTML/script tags from album name input

Temporary User Restriction

all

Temporarily restrict album creation to trusted administrators only.

Adjust user permissions in Piwigo admin panel

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads in album name parameters.
  • Monitor and audit album creation activities for suspicious content patterns.

🔍 How to Verify

Check if Vulnerable:

Check if Piwigo version is exactly 14.5.0 via admin panel or version file.

Check Version:

Check include/version.inc.php or admin panel dashboard for version number.

Verify Fix Applied:

After updating, attempt to inject basic XSS payload <script>alert('test')</script> into album name - it should be sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual album creation events with special characters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing script tags in album name parameters
  • Unexpected outbound connections after album viewing

SIEM Query:

source="web_server" AND (uri="*admin.php*" OR uri="*ws.php*") AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-46333
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: September 27, 2024
Last Updated: May 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46333, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)