Description: "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function." Patch: https://github.com/Piwigo/Piwigo/commit/1e23ed84d3a80f00b827de8aed546464674bb427
Upstream has release 2.10.2 (with this in), I will bump and drop old patched 2.10.1-r1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2bd76209626746148e1bde1950d47788dc839c3 commit b2bd76209626746148e1bde1950d47788dc839c3 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-03-27 17:03:31 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-03-27 17:03:53 +0000 www-apps/piwigo: drop security vulnerable version Upstream released 2.10.2, with all fixes included Bug: https://bugs.gentoo.org/714926 Package-Manager: Portage-2.3.96, Repoman-2.3.21 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 1 - www-apps/piwigo/files/piwigo-2.10.1-css_vuln.patch | 94 ---------------------- .../files/piwigo-2.10.1-php7.4_deprecation.patch | 56 ------------- .../piwigo/files/piwigo-2.10.1-php7.4_notice.patch | 41 ---------- www-apps/piwigo/piwigo-2.10.1-r1.ebuild | 49 ----------- 5 files changed, 241 deletions(-)
Thanks once again for being speedy! Closing because tree is clean and noglsa.
*** Bug 716626 has been marked as a duplicate of this bug. ***