CVE-2021-24310 — Cross-site Scripting in Photo Gallery BY 10web Mobile-friendly Image Gallery

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

CNA6.1

EPSS

0.2%

top 59.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

10web Photo Gallery BY 10web Mobile-friendly Image Gallery 10web Photo Gallery

Timeline

PublishedJun 1

Latest updateMay 24

Description

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV510web/photo_gallery_by_10web_mobile-friendly_image_gallery1.5.67 — 1.5.67

▶NVD10web/photo_gallery< 1.5.67

🔴Vulnerability Details

GHSA

GHSA-4fx9-rq9m-9gq2: The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1↗2022-05-24

▶

CVEList

Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title↗2021-06-01

▶