CVE-2024-46605 is a cross-site scripting (XSS) vulnerability identified in Piwigo version 14.5.0, an open-source photo gallery software widely used for managing image collections. The vulnerability resides in the /admin.php?page=album component, specifically in the Description field where user input is insufficiently sanitized. An attacker can craft a malicious payload containing arbitrary JavaScript or HTML and inject it into this field. When an administrator or user with sufficient privileges views the affected album page, the malicious script executes in their browser context. This can lead to theft of session cookies, defacement, or execution of unauthorized actions within the administrative interface. The vulnerability does not require prior authentication to inject the payload but does require user interaction to trigger the script execution. The CVSS 3.1 base score of 6.1 reflects network attack vector, low attack complexity, no privileges required, but user interaction needed, and a scope change due to impact on other components. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. No official patches or fixes have been released at the time of publication, and no active exploitation has been reported. This vulnerability highlights the importance of robust input validation and output encoding in web applications, especially those with administrative interfaces exposed to the internet.

The primary impact of CVE-2024-46605 is on the confidentiality and integrity of administrative sessions within Piwigo installations. Successful exploitation can allow attackers to execute arbitrary scripts in the context of an administrator’s browser, potentially leading to session hijacking, unauthorized changes to photo albums, or injection of malicious content. While availability is not directly affected, the compromise of administrative control could indirectly disrupt service or lead to data loss. Organizations relying on Piwigo for managing sensitive or proprietary image collections may face reputational damage and data exposure. Since the vulnerability requires user interaction, phishing or social engineering could be leveraged to increase success rates. The lack of authentication requirement for injection broadens the attack surface, especially for publicly accessible Piwigo instances. The absence of known exploits in the wild currently limits immediate risk, but the medium severity score suggests that attackers could develop exploits rapidly. This vulnerability is particularly impactful for organizations with web-facing Piwigo admin panels and insufficient input sanitization controls.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict access to the /admin.php?page=album page using network-level controls such as IP whitelisting or VPN access to limit exposure to trusted users only. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the Description field, focusing on typical XSS attack patterns. 3) Educate administrators and users about the risk of clicking on untrusted links or interacting with unknown content within the Piwigo interface. 4) Review and sanitize all user inputs on the server side, applying strict output encoding to prevent script execution. 5) Monitor logs for unusual activity or repeated attempts to inject scripts into album descriptions. 6) Consider disabling or limiting the Description field functionality if feasible until a patch is available. 7) Stay updated with Piwigo security advisories and apply official patches promptly once released. 8) Conduct regular security assessments of the Piwigo deployment to identify and remediate similar input validation issues.