Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918534 (CVE-2023-37270, CVE-2023-44393) - <www-apps/piwigo-14.0.0: multiple vulnerabilities
Summary: <www-apps/piwigo-14.0.0: multiple vulnerabilities
Alias: CVE-2023-37270, CVE-2023-44393
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2023-11-25 16:56 UTC by John Helmert III
Modified: 2023-12-18 07:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 16:56:53 UTC
CVE-2023-44393 (

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.

Fixed in 14.0.0beta4.

CVE-2023-37270 (

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.

Fixed in 13.8.0.

I guess we need a 14.0 release here.
Comment 1 Bernard Cafarelli gentoo-dev 2023-11-28 12:14:03 UTC
At least for CVE-2023-37270 I have dropped previous version (only 13.8.0 is in tree now).
For the other one, indeed let's wait for 14.0 as I have never seen stable backports in piwigo. 14.0rc1 was released 2 weeks ago so hopefully this will not be too long
Comment 2 Bernard Cafarelli gentoo-dev 2023-12-17 23:44:46 UTC
14.0 looks good here (added a few days ago), I am cleaning older versions so we should be good with this bug
Comment 3 Larry the Git Cow gentoo-dev 2023-12-17 23:44:58 UTC
The bug has been referenced in the following commit(s):

commit d8e8be9ff0d6f86bfeb772798c9b9c43bbe2f1b1
Author:     Bernard Cafarelli <>
AuthorDate: 2023-12-17 23:42:59 +0000
Commit:     Bernard Cafarelli <>
CommitDate: 2023-12-17 23:42:59 +0000

    www-apps/piwigo: drop 13.8.0
    Signed-off-by: Bernard Cafarelli <>

 www-apps/piwigo/Manifest             |  1 -
 www-apps/piwigo/piwigo-13.8.0.ebuild | 44 ------------------------------------
 2 files changed, 45 deletions(-)
Comment 4 Hans de Graaff gentoo-dev Security 2023-12-18 07:18:18 UTC
All done, thanks!