oss-sec mailing list archives
CVE request: piwigo XSS in password.php
From: Raphael Geissert <geissert () debian org>
Date: Fri, 5 Oct 2012 23:54:24 -0500
Hi, A XSS vulnerability has been reported in piwigo's password.php before 2.4.4: http://piwigo.org/bugs/view.php?id=0002750 http://secunia.com/advisories/50510/ However, as stated in the Secunia advisory, the fix does not entirely address the issue. For context, the stripslashes/strip_tags'ed POST variable is included in the template as following: <input type="text" id="username_or_email" name="username_or_email" ... value="{$username_or_email}"> (some parts redacted for clarity) So, two ids are needed. Thanks in advance. Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't. -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: piwigo XSS in password.php Raphael Geissert (Oct 05)
- Re: CVE request: piwigo XSS in password.php Kurt Seifried (Oct 18)