CVE-2024-28662 is a medium severity Cross Site Scripting (XSS) vulnerability identified in the Piwigo photo gallery software before version 14.3.0. The vulnerability stems from a lack of proper sanitization of user input in the create_tag function located in admin/include/functions.php. Specifically, this function fails to adequately cleanse input data before rendering it in the administrative interface, allowing an authenticated user with privileges to inject malicious scripts. When exploited, the injected scripts can execute in the context of the administrator's browser session, potentially leading to theft of session tokens, unauthorized actions, or manipulation of the web interface. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network with low complexity, requires low privileges (authenticated user), and user interaction (clicking a crafted link or inputting malicious data). The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and patched in version 14.3.0. Piwigo is widely used as an open-source photo gallery solution, often deployed on web servers in small to medium organizations, hobbyists, and some enterprises. The vulnerability is classified under CWE-79, a common XSS weakness. Mitigation involves upgrading to the fixed version and applying best practices for input validation and access control.

The primary impact of CVE-2024-28662 is the potential compromise of administrative sessions and data integrity within Piwigo installations. Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the administrator's browser context, which can lead to session hijacking, unauthorized changes to gallery content or settings, and possible pivoting to other parts of the network. Although the vulnerability does not directly affect availability, the loss of confidentiality and integrity can undermine trust in the affected system and lead to data leakage or defacement. Organizations relying on Piwigo for managing photo galleries, especially those with sensitive or proprietary images, face reputational damage and operational disruption if exploited. The requirement for authenticated access limits the attack surface but does not eliminate risk, particularly in environments with weak credential management or social engineering vulnerabilities. The medium CVSS score reflects moderate risk but should not be underestimated in targeted attacks.

To mitigate CVE-2024-28662, organizations should immediately upgrade Piwigo installations to version 14.3.0 or later, where the vulnerability is patched. If upgrading is not immediately possible, administrators should restrict access to the administrative interface by IP whitelisting or VPN enforcement to reduce exposure. Implement strict authentication policies including strong passwords and multi-factor authentication to limit the risk of compromised credentials. Monitor web server logs and application behavior for unusual input patterns or script injection attempts. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Educate administrators and users about phishing and social engineering risks that could facilitate exploitation. Regularly review and sanitize all user inputs in custom plugins or extensions to prevent similar vulnerabilities. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.