Piwigo 'register.php' Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	39958
Class:	Input Validation Error
CVE:	CVE-2010-1707
Remote:	Yes
Local:	No
Published:	May 06 2010 12:00AM
Updated:	May 06 2010 12:00AM
Credit:	Mohammed Boumediane
Vulnerable:	Piwigo Piwigo 2.0.9
Not Vulnerable:

Piwigo 'register.php' Multiple Cross Site Scripting Vulnerabilities

Piwigo is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Piwigo 2.0.9 is affected; prior versions may also be affected.

Piwigo 'register.php' Multiple Cross Site Scripting Vulnerabilities

Attackers can use a browser to exploit these issues.

Piwigo 'register.php' Multiple Cross Site Scripting Vulnerabilities

Solution:
Vendor updates are available in the SVN repository. Contact the vendor for more information.

Piwigo 'register.php' Multiple Cross Site Scripting Vulnerabilities

References:

• Piwigo Homepage (Piwigo)
  
• Piwigo Two Cross-Site Scripting Vulnerabilities (Mohammed Boumediane, Vupen)