Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891971 - <www-apps/piwigo-13.5.0: Stored XSS Vulnerability
Summary: <www-apps/piwigo-13.5.0: Stored XSS Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2023-01-24 20:04 UTC by Alexander Bezrukov
Modified: 2023-01-25 18:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bezrukov 2023-01-24 20:04:55 UTC
See the $URL.

The vulnerability allows a normal user to store a an arbitrary script which has a very good chance to be executed later when administrator logs in and check users' activities.

Reproducible: Always

Steps to Reproduce:
See the $URL
Actual Results:  

Expected Results:  
Normal users should not be allowed to arbitrarily elevate their privileges.

Updating is as easy as renaming the ebuild to piwigo-13.5.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-24 23:02:40 UTC
Yay, another piwigo issue.
Comment 2 Bernard Cafarelli gentoo-dev 2023-01-25 17:36:46 UTC
At least this one has a clear fixed in version :) Bumping to 13.5.0 and cleaning
Comment 3 Larry the Git Cow gentoo-dev 2023-01-25 17:56:25 UTC
The bug has been referenced in the following commit(s):

commit 85c2e31b86cb3be378f7ce3c2d6bab7b902a70f0
Author:     Bernard Cafarelli <>
AuthorDate: 2023-01-25 17:37:50 +0000
Commit:     Bernard Cafarelli <>
CommitDate: 2023-01-25 17:54:48 +0000

    www-apps/piwigo: 13.5.0 bump, remove old versions
    Signed-off-by: Bernard Cafarelli <>

 www-apps/piwigo/Manifest                           |  3 +-
 www-apps/piwigo/piwigo-13.4.0.ebuild               | 44 ----------------------
 .../{piwigo-13.3.0.ebuild => piwigo-13.5.0.ebuild} |  2 +-
 3 files changed, 2 insertions(+), 47 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 18:20:35 UTC
Indeed, all done!