Piwigo Vulnerability Allowing Application Takeover via Remote Code Execution
CVE-2024-26450
Currently unrated
What is CVE-2024-26450?
A vulnerability exists in Piwigo versions prior to 14.2.0 that allows an attacker to perform a takeover of the application. This exploit leverages a combination of Cross Site Request Forgery (CSRF) and Stored Cross Site Scripting (XSS) to execute malicious JavaScript. Specifically, an attacker can store a malicious payload within the dashboard of an Admin user, facilitating the upload of a rogue PHP file. Once this file is executed, the attacker can remotely connect back to a listener from the compromised admin's instance, compromising the affected application further.