CVE-2024-52701 is a stored cross-site scripting (XSS) vulnerability identified in Piwigo version 14.5.0, a popular open-source photo gallery software. The vulnerability exists in the Configuration page, specifically within the Page banner parameter, which accepts user input that is not properly sanitized or encoded before being stored and rendered. An attacker with at least limited privileges (PR:L) can inject crafted malicious JavaScript or HTML payloads into this parameter. When other users or administrators view the affected configuration page, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires user interaction (UI:R) to trigger, and the scope is changed (S:C), meaning the impact crosses security boundaries, affecting other users or components. The CVSS 3.1 base score is 5.4, reflecting medium severity due to the combination of network attack vector (AV:N), low attack complexity (AC:L), and partial confidentiality and integrity impacts (C:L/I:L/A:N). No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. This CWE-79 classified vulnerability underscores the risks of insufficient input validation and output encoding in web applications, especially in administrative interfaces that control site configuration.

The primary impact of CVE-2024-52701 is the potential compromise of confidentiality and integrity within organizations using Piwigo 14.5.0. Successful exploitation can allow attackers to execute arbitrary scripts in the context of authenticated users, leading to session hijacking, theft of sensitive information such as authentication tokens, or unauthorized configuration changes. Although availability is not directly affected, the integrity of the application and user trust can be severely undermined. This can result in reputational damage, especially for organizations relying on Piwigo for public-facing photo galleries or internal media management. Attackers with limited privileges can escalate their influence by exploiting this vulnerability, potentially gaining further access or control. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure. Organizations with multiple users accessing the configuration page are at higher risk due to the stored nature of the XSS payload, which affects all users viewing the compromised parameter.

To mitigate CVE-2024-52701, organizations should implement several specific measures beyond generic advice: 1) Immediately restrict access to the Configuration page to only the most trusted administrators using strong authentication and network segmentation. 2) Apply strict input validation on the Page banner parameter to allow only safe characters and reject or sanitize any HTML or script tags before storage. 3) Implement robust output encoding (e.g., HTML entity encoding) when rendering the Page banner content to prevent script execution. 4) Monitor logs and user activity for unusual changes or access patterns to the configuration interface. 5) If a patch becomes available from Piwigo, prioritize timely deployment. 6) Consider deploying a web application firewall (WAF) with rules to detect and block XSS payloads targeting the configuration page. 7) Educate administrators about the risks of stored XSS and safe handling of configuration inputs. 8) Regularly audit and review configuration parameters for unexpected or suspicious content. These targeted actions will reduce the attack surface and limit the potential for exploitation.