#VU37746 Cross-site request forgery in Piwigo - CVE-2017-17827

Cybersecurity Help s.r.o.

Published: 2017-12-21 | Updated: 2020-08-08

Vulnerability identifier: #VU37746

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-17827

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Piwigo
Web applications / CMS

Vendor: Piwigo.org

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Piwigo: 2.9.2

External links
https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f
https://github.com/Piwigo/Piwigo/issues/822
https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Piwigo