Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Oct 2012 23:54:24 -0500
From: Raphael Geissert <>
Subject: CVE request: piwigo XSS in password.php


A XSS vulnerability has been reported in piwigo's password.php before 2.4.4:

However, as stated in the Secunia advisory, the fix does not entirely address 
the issue. For context, the stripslashes/strip_tags'ed POST variable is 
included in the template as following:
<input type="text" id="username_or_email" name="username_or_email" ... 

(some parts redacted for clarity)

So, two ids are needed. Thanks in advance.

Piwigo 2.3.1 also seems to be affected but 2.1.2 doesn't.

Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ