CVE-2024-46333 is an authenticated cross-site scripting (XSS) vulnerability identified in Piwigo version 14.5.0, a popular open-source photo gallery management software. The vulnerability arises from insufficient sanitization of user input in the Album Name parameter within the Add Album function. An attacker with authenticated access and high privileges can craft a malicious payload containing arbitrary JavaScript or HTML code and inject it into the Album Name field. When other users or administrators view the album list or details, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires both authentication and user interaction, as the victim must view the malicious content for exploitation to succeed. The CVSS v3.1 base score of 4.8 reflects a medium severity rating, with the vector indicating network attack vector, low attack complexity, high privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input leading to XSS. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling user-generated content with administrative functions.

The primary impact of CVE-2024-46333 is on the confidentiality and integrity of user sessions and data within Piwigo installations. Successful exploitation can allow attackers to execute arbitrary scripts in the context of other users, potentially leading to session hijacking, theft of authentication tokens, or unauthorized actions performed with the victim’s privileges. This can result in unauthorized access to sensitive photo galleries, modification or deletion of albums, or further lateral movement within the affected environment. Although availability is not impacted, the breach of trust and potential data leakage can have reputational and operational consequences for organizations relying on Piwigo for digital asset management. Since exploitation requires authenticated access with high privileges, the threat is more relevant to insider threats or compromised accounts. Organizations worldwide using Piwigo, especially those with sensitive or private photo collections, are at risk of targeted attacks leveraging this vulnerability.

To mitigate CVE-2024-46333, organizations should immediately restrict access to the Add Album function to trusted users and monitor for suspicious activity involving album creation or modification. Implement strict input validation and output encoding on the Album Name parameter to neutralize any injected scripts. Until an official patch is released, consider applying web application firewall (WAF) rules to detect and block malicious payloads targeting the Album Name field. Conduct regular audits of user privileges to minimize the number of users with high-level access capable of exploiting this vulnerability. Educate users and administrators about the risks of XSS and the importance of cautious interaction with user-generated content. Additionally, monitor logs for unusual patterns indicative of attempted exploitation. Once a patch is available, apply it promptly. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.