CVE-2021-24362Cross-site Scripting in Photo Gallery

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 56.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
10web Photo Gallery
Timeline
PublishedAug 16
Latest updateMay 24

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVD10web/photo_gallery< 1.5.75

🔴Vulnerability Details

2
GHSA
GHSA-pg42-7827-374h: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 12022-05-24
CVEList
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG2021-08-16
CVE-2021-24362 — Cross-site Scripting in Photo Gallery | cvebase