Piwigo version 2.10.1 is affected by stored cross site scripting vulnerability. This vulnerability exists in "Group Name" Field in "group_list" page. How to reproduce: Login into the application. Go to the "Users" -> "Groups" page from life navigation menu. Click on "Add Group" button and then in "Group Name" field insert the payload and hit add button. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8089 https://nvd.nist.gov/vuln/detail/CVE-2020-8089
I am adding upstream patch with some PHP 7.4 fixes at the same time, and I will remove current 2.10.1 ebuild at the same time
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b46d37e6fd1b061384d4fe6ad46ac54afd0a775 commit 2b46d37e6fd1b061384d4fe6ad46ac54afd0a775 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-02-29 20:53:46 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-02-29 20:53:46 +0000 www-apps/piwigo: backport fix for CVE-2020-8089 Drop old vulnerable version Also backport some PHP 7.4 compatibility fixes Bug: https://bugs.gentoo.org/709324 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> www-apps/piwigo/files/piwigo-2.10.1-css_vuln.patch | 94 ++++++++++++++++++++++ .../files/piwigo-2.10.1-php7.4_deprecation.patch | 56 +++++++++++++ .../piwigo/files/piwigo-2.10.1-php7.4_notice.patch | 41 ++++++++++ ...iwigo-2.10.1.ebuild => piwigo-2.10.1-r1.ebuild} | 7 +- 4 files changed, 197 insertions(+), 1 deletion(-)
Tree is clean.