Advertisement






Gphotos Directory Traversal and Cross Site Scripting

CVE Category Price Severity
CVE-2021-21383 CWE-22 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2006-05-23
CPE
cpe:cpe:/a:google:gphotos
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02193 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006050103

Below is a copy:

Details

The first vulnerability issue is due to an input validation error in "index.php" "diapo.php" and "affich.php" scripts that do not validate "rep","image" variables, which may be exploited to cross site scripting attacks.

http://traget/index.php?rep=[xss]

http://traget/diapo.php?rep=[xss]

http://traget/affich.php?image=[xss]

The second flaw is due to an input validation error in the "index.php" script that fails to properly validate "rep" variable, which may be exploited to disclose the contents of arbitrary folders.

http://traget/index.php?rep=../../../

Vulnerable versions

GPhotos 1.5 and prior

Credits

Moroccan Security

Contact

[ Psych0 ] <doz(at)bsdmail(dot)com>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.