Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714926 (CVE-2020-9467) - www-apps/piwigo: Stored XSS via file parameter in /ws.php (CVE-2020-9467)
Summary: www-apps/piwigo: Stored XSS via file parameter in /ws.php (CVE-2020-9467)
Status: RESOLVED FIXED
Alias: CVE-2020-9467
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/Piwigo/Piwigo/issu...
Whiteboard: ~4 [noglsa cve]
Keywords:
: 716626 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-03-26 20:58 UTC by Sam James
Modified: 2020-04-08 00:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 20:58:56 UTC 
Description:
"Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function."

Patch: https://github.com/Piwigo/Piwigo/commit/1e23ed84d3a80f00b827de8aed546464674bb427
Comment 1 Bernard Cafarelli gentoo-dev 2020-03-27 17:04:14 UTC 
Upstream has release 2.10.2 (with this in), I will bump and drop old patched 2.10.1-r1
Comment 2 Larry the Git Cow gentoo-dev 2020-03-27 17:13:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2bd76209626746148e1bde1950d47788dc839c3

commit b2bd76209626746148e1bde1950d47788dc839c3
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-03-27 17:03:31 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-03-27 17:03:53 +0000

    www-apps/piwigo: drop security vulnerable version
    
    Upstream released 2.10.2, with all fixes included
    
    Bug: https://bugs.gentoo.org/714926
    Package-Manager: Portage-2.3.96, Repoman-2.3.21
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/piwigo/Manifest                           |  1 -
 www-apps/piwigo/files/piwigo-2.10.1-css_vuln.patch | 94 ----------------------
 .../files/piwigo-2.10.1-php7.4_deprecation.patch   | 56 -------------
 .../piwigo/files/piwigo-2.10.1-php7.4_notice.patch | 41 ----------
 www-apps/piwigo/piwigo-2.10.1-r1.ebuild            | 49 -----------
 5 files changed, 241 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-27 21:47:24 UTC 
Thanks once again for being speedy!

Closing because tree is clean and noglsa.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-08 00:31:49 UTC 
*** Bug 716626 has been marked as a duplicate of this bug. ***