CVE-2017-17825
Description
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Piwigo 2.9.2 Batch Manager has a persistent XSS via tags-* array parameters, allowing attacker to hijack client browsers.
Vulnerability
The Batch Manager component in Piwigo 2.9.2 is vulnerable to persistent cross-site scripting (XSS). The flaw resides in the admin.php?page=batch_manager&mode=unit endpoint, where the tags-* array POST parameters are not properly sanitized before being stored and later rendered. This affects Piwigo versions up to and including 2.9.2 [1].
Exploitation
An attacker must have administrative access to the Piwigo application to reach the vulnerable batch manager page. The attacker submits a crafted tags-*[] parameter containing malicious JavaScript. The payload is stored and then executed in the browsers of other administrators who view the affected page, without requiring any additional user interaction [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, and other client-side attacks. The attacker gains the same privileges as the victim administrator [1].
Mitigation
The vendor has released a patch for this issue. Administrators should upgrade Piwigo to a version later than 2.9.2. As a general best practice, all user-supplied input should be sanitized using context-specific filtering before being displayed. No other workarounds are documented [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in tags-*[] POST parameters allows stored cross-site scripting."
Attack vector
An attacker with admin panel access sends a crafted POST request to `/admin.php?page=batch_manager&mode=unit` containing malicious JavaScript in `tags-*[]` parameters. The payload is stored and later executed in the browser of any admin user who views the affected page, allowing the attacker to hijack the client's browser and its stored data [CWE-79] [ref_id=1]. The attack requires high privileges (admin) and user interaction (viewing the page), but can be launched over the network with no special configuration.
Affected code
The vulnerability is in the Batch Manager component, accessed via `/admin.php?page=batch_manager&mode=unit`. The `tags-*[]` POST parameters are not sanitized before being rendered in the admin panel [ref_id=1].
What the fix does
The advisory recommends implementing a middleware or centralized controller that uses context-specific filtering to sanitize user input before it is printed to the page [ref_id=1]. No patch diff is included in the bundle, so the exact code changes are not shown. The vendor's patch is referenced but not provided in the available materials [ref_id=1].
Preconditions
- authAttacker must have admin panel access (high privilege level)
- inputVictim admin user must view the affected batch manager page
- networkPOST request to /admin.php?page=batch_manager&mode=unit with tags-*[] parameters
Reproduction
Send a POST request to `/admin.php?page=batch_manager&mode=unit` with a `tags-*[]` parameter containing a JavaScript payload such as `">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.