CVE-2024-26450 is a vulnerability identified in Piwigo, an open-source photo gallery software, affecting all versions prior to 14.2.0. The issue arises from the combination of two web security flaws: Cross Site Request Forgery (CWE-352) and Stored Cross Site Scripting (CWE-79). An attacker crafts a malicious request that, when an administrator visits their dashboard, triggers the stored XSS payload. This JavaScript executes with admin privileges in the browser, enabling the attacker to perform unauthorized actions such as uploading a PHP file (web shell) to the server. Once uploaded, the attacker can remotely invoke this PHP file to gain persistent remote code execution on the server hosting Piwigo. The vulnerability does not require prior authentication but does require the targeted admin to interact with the malicious payload (user interaction). The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction, and limited confidentiality and integrity impact without availability impact. No public exploit code or active exploitation has been reported yet. This vulnerability highlights the risk of chained web application vulnerabilities that escalate privileges and enable remote takeover.

The primary impact of CVE-2024-26450 is the potential full compromise of Piwigo installations running vulnerable versions. Successful exploitation allows attackers to execute arbitrary code on the server by uploading and invoking a PHP web shell. This can lead to unauthorized access to sensitive images and data stored within the gallery, defacement, data theft, or pivoting to other internal systems. Since Piwigo is often used by organizations and individuals to manage photo collections, the breach could result in privacy violations and reputational damage. The attack requires an administrator to interact with a malicious link or page, which may limit widespread exploitation but remains a significant risk in targeted attacks. The vulnerability does not affect availability directly but compromises confidentiality and integrity of the system. Organizations with publicly accessible Piwigo instances are at higher risk, especially if administrative users are less security-aware or if multi-factor authentication is not enforced.

To mitigate CVE-2024-26450, organizations should immediately upgrade Piwigo to version 14.2.0 or later, where the vulnerability is patched. Until patching is possible, administrators should restrict access to the dashboard using IP whitelisting or VPNs to reduce exposure. Implementing Content Security Policy (CSP) headers can help limit the impact of stored XSS by restricting script execution sources. Enforce multi-factor authentication for all admin accounts to reduce the risk of session hijacking. Educate administrators to avoid clicking on suspicious links or visiting untrusted sites while logged into the Piwigo admin interface. Regularly audit web server directories for unauthorized PHP files and monitor logs for unusual activity indicating web shell usage. Employ web application firewalls (WAFs) with rules to detect and block CSRF and XSS attack patterns. Finally, conduct security assessments and penetration tests focusing on chained web vulnerabilities to identify and remediate similar risks.