891971 – <www-apps/piwigo-13.5.0: Stored XSS Vulnerability

Bug 891971 - <www-apps/piwigo-13.5.0: Stored XSS Vulnerability

Summary: <www-apps/piwigo-13.5.0: Stored XSS Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://github.com/Piwigo/Piwigo/issu...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2023-01-24 20:04 UTC by Alexander Bezrukov
Modified:	2023-01-25 18:20 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-40313, CVE-2021-40678, CVE-2021-40882, CVE-2021-45357, CVE-2022-24620, CVE-2022-26266, CVE-2022-26267 CVE-2021-40317, CVE-2021-40553, CVE-2022-32297, CVE-2022-37183, CVE-2023-26876
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bezrukov 2023-01-24 20:04:55 UTC

See the $URL.

The vulnerability allows a normal user to store a an arbitrary script which has a very good chance to be executed later when administrator logs in and check users' activities.

Reproducible: Always

Steps to Reproduce:
See the $URL
Actual Results:  
XSS

Expected Results:  
Normal users should not be allowed to arbitrarily elevate their privileges.

Updating is as easy as renaming the ebuild to piwigo-13.5.0.

Comment 1 John Helmert III archtester

2023-01-24 23:02:40 UTC

Yay, another piwigo issue.

Comment 2 Bernard Cafarelli gentoo-dev

2023-01-25 17:36:46 UTC

At least this one has a clear fixed in version :) Bumping to 13.5.0 and cleaning

Comment 3 Larry the Git Cow gentoo-dev

2023-01-25 17:56:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c2e31b86cb3be378f7ce3c2d6bab7b902a70f0

commit 85c2e31b86cb3be378f7ce3c2d6bab7b902a70f0
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2023-01-25 17:37:50 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2023-01-25 17:54:48 +0000

    www-apps/piwigo: 13.5.0 bump, remove old versions
    
    Bug: https://bugs.gentoo.org/891971
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/piwigo/Manifest                           |  3 +-
 www-apps/piwigo/piwigo-13.4.0.ebuild               | 44 ----------------------
 .../{piwigo-13.3.0.ebuild => piwigo-13.5.0.ebuild} |  2 +-
 3 files changed, 2 insertions(+), 47 deletions(-)

Comment 4 John Helmert III archtester

2023-01-25 18:20:35 UTC

Indeed, all done!