CVE-2023-44393 (https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg): Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue. Fixed in 14.0.0beta4. CVE-2023-37270 (https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx): Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately. Fixed in 13.8.0. I guess we need a 14.0 release here.
At least for CVE-2023-37270 I have dropped previous version (only 13.8.0 is in tree now). For the other one, indeed let's wait for 14.0 as I have never seen stable backports in piwigo. 14.0rc1 was released 2 weeks ago so hopefully this will not be too long
14.0 looks good here (added a few days ago), I am cleaning older versions so we should be good with this bug
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8e8be9ff0d6f86bfeb772798c9b9c43bbe2f1b1 commit d8e8be9ff0d6f86bfeb772798c9b9c43bbe2f1b1 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2023-12-17 23:42:59 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2023-12-17 23:42:59 +0000 www-apps/piwigo: drop 13.8.0 Bug: https://bugs.gentoo.org/918534 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/Manifest | 1 - www-apps/piwigo/piwigo-13.8.0.ebuild | 44 ------------------------------------ 2 files changed, 45 deletions(-)
All done, thanks!
