Login Sign Up

CVE-2024-46606

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Piwigo's photo description field allows attackers to inject malicious scripts that execute when administrators view the affected page. This affects Piwigo v14.5.0 installations with admin panel access. Attackers could potentially hijack admin sessions or perform unauthorized actions.

💻 Affected Systems

Products:
  • Piwigo
Versions: v14.5.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access to exploit; affects the photo description field in /admin.php?page=photo.

📦 What is this software?

Piwigo by Piwigo

View all CVEs affecting Piwigo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or server-side code execution through chained attacks.

🟠

Likely Case

Session hijacking of admin users, defacement, or theft of admin credentials.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, or if admin access is restricted.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the admin panel; proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v14.5.1 or later

Vendor Advisory: https://github.com/Piwigo/Piwigo

Restart Required: No

Instructions:

1. Backup your Piwigo installation and database. 2. Download the latest version from the official Piwigo repository. 3. Replace the affected files with the patched version. 4. Verify the fix by testing the photo description field.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side input validation and output encoding for the photo description field.

Restrict Admin Access

linux

Limit admin panel access to trusted IP addresses using web server configuration.

# Apache: Use .htaccess with Require ip
# Nginx: Use allow/deny directives in server block

🧯 If You Can't Patch

  • Disable or restrict access to the /admin.php?page=photo component if not essential.
  • Implement a web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Test by injecting a simple XSS payload (e.g., <script>alert('test')</script>) into the photo description field and check if it executes when viewed.

Check Version:

Check the Piwigo version in the admin panel or via the /admin.php?page=about page.

Verify Fix Applied:

After patching, repeat the XSS test; the payload should be properly sanitized and not execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /admin.php?page=photo with script tags in parameters
  • Admin session anomalies or unexpected admin actions

Network Indicators:

  • HTTP requests containing malicious script payloads to the admin endpoint

SIEM Query:

source="web_logs" AND uri="/admin.php" AND (param="page" AND value="photo") AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-46606
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: October 16, 2024
Last Updated: May 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46606, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)