CVE-2024-46606 is a cross-site scripting (XSS) vulnerability identified in Piwigo version 14.5.0, specifically affecting the /admin.php?page=photo component. The vulnerability arises from insufficient input sanitization in the Description field, which allows an attacker to inject arbitrary HTML or JavaScript code. This can be exploited by an attacker who has at least low-level privileges (PR:L) and requires user interaction (UI:R), such as tricking an administrator or authorized user into viewing a crafted payload. The vulnerability impacts confidentiality and integrity by enabling script execution in the context of the victim's browser, potentially leading to session hijacking, defacement, or unauthorized actions within the application. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), partial privileges required, and user interaction needed. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are reported in the wild, and no official patches have been linked yet. The vulnerability is categorized under CWE-79, a common and well-understood class of XSS flaws. Piwigo is an open-source photo gallery software used globally by individuals and organizations to manage image collections, making this vulnerability relevant to a broad user base. The attack surface is limited to authenticated users with access to the admin photo page, reducing the risk of widespread exploitation but still posing a significant threat to affected installations.

The primary impact of CVE-2024-46606 is the execution of arbitrary scripts within the context of the vulnerable Piwigo application, which can compromise user confidentiality and data integrity. Attackers could steal session cookies, perform actions on behalf of legitimate users, or manipulate displayed content, potentially leading to unauthorized access or data leakage. Although availability is not directly affected, the trustworthiness of the application and its data could be undermined. Organizations using Piwigo for managing sensitive or private photo collections may face reputational damage and privacy violations if exploited. The requirement for authenticated access and user interaction limits the attacker's ability to exploit this vulnerability remotely without some level of insider access or social engineering. However, in environments where multiple users have admin or editor privileges, the risk of lateral movement and privilege escalation increases. The lack of an official patch at the time of disclosure means organizations must rely on interim mitigations, increasing exposure. Overall, the vulnerability poses a moderate risk to organizations worldwide that deploy Piwigo, especially those with multi-user administrative environments.

To mitigate CVE-2024-46606, organizations should implement the following specific measures: 1) Immediately restrict access to the /admin.php?page=photo component to only trusted administrators and reduce the number of users with editing privileges. 2) Employ strict input validation and output encoding on the Description field to sanitize any user-supplied content, using established libraries or frameworks that prevent XSS. 3) Deploy a Web Application Firewall (WAF) with rules designed to detect and block common XSS payloads targeting Piwigo. 4) Educate administrators and users about the risks of clicking on untrusted links or opening suspicious content within the admin interface to reduce successful social engineering attempts. 5) Monitor official Piwigo channels for security updates and apply patches promptly once released. 6) Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. 7) Conduct regular security audits and penetration testing focused on input handling in administrative components. These targeted actions go beyond generic advice and address the specific attack vector and environment of this vulnerability.