MantisBT - Piwigo
View Issue Details
0002805Piwigosecuritypublic2012.12.13 10:262012.12.13 11:55
plg 
plg 
normalminorhave not tried
closedfixed 
2.4.5 
2.4.62.4.6 
any
Apache 1.3.x
0002805: XSS from EXIF/IPTC metadata
An arbitray tag or script may be executed on the user's browser. For example with <script>alert("maker")</script> as EXIF:Make field.

This vulnerability can only be used with user upload (Community) and no validation from the administrators (this is why this is a minor security issue).
No tags attached.
related to 0002899closed plg ability to allow HTML in EXIF/IPTC 
Issue History
2012.12.13 10:26plgNew Issue
2012.12.13 10:26plgStatusnew => assigned
2012.12.13 10:26plgAssigned To => plg
2012.12.13 10:26plgbrowser => any
2012.12.13 10:26plgWeb server => Apache 1.3.x
2012.12.13 10:27svnCheckin
2012.12.13 10:27svnNote Added: 0006771
2012.12.13 10:33svnCheckin
2012.12.13 10:33svnNote Added: 0006772
2012.12.13 11:55plgStatusassigned => closed
2012.12.13 11:55plgResolutionopen => fixed
2012.12.13 11:55plgFixed in Version => 2.4.6
2013.05.14 10:05plgRelationship addedrelated to 0002899

Notes
(0006771)
svn   
2012.12.13 10:27   
[Subversion] r19417 by plg on branch 2.4

-----[Subversion commit log]----------------------------------------------------
bug 2805: avoid XSS from EXIF/IPTC
(0006772)
svn   
2012.12.13 10:33   
[Subversion] r19418 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
merge r19417 from branch 2.4 to trunk

bug 2805: avoid XSS from EXIF/IPTC