Back to all zero days

Reflected Cross-Site Scripting (XSS) in NextGEN Gallery

Affected Vendor

Imagely

Status

Fixed

Date

17th Feb, 2015

Medium Severity

Description

Multiple Cross-Site Scripting (XSS) vulnerability was identified on the WordPress plugin Gravity Forms before 2.1.15 in the nggallery-manage-gallery page.

Proof of concept: (POC)

Visit the following page on a site with this plugin installed.

http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of images[1][alttext] and path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.

Note: XSS payload was tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.

Define ('DISALLOW_UNFILTERED_HTML', true);

POST request parameter images[1][alttext] variable in the given URL http://localhost/wordpress/wpadmin/admin.php?page=nggallerymanagegallery&mode=edit&gid=1&paged=1 of NextGEN Gallery Plugin version 2.1.10 is vulnerable to Cross-Site Scripting (XSS).

Figure 01: [alttext]variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1

Figure 02:  XSS Payload gets executed in the browser whenever the user views it.

Figure 03: XSS Payload injected to pathvariable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=3&paged=1

Figure 04: XSS Payload gets executed in the browser whenever the user views it.

 

Impact

An XSS vulnerability allows an attacker to inject malicious code into the applications via the images [1] [alttext] parameter.

Remediations

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Timeline

Feb 17, 2015: Discovered in NextGen Gallery 2.1.7 version.
Feb 17, 2015: Reported to WordPress.
Feb 18, 2015: The vendor acknowledged the issue.
Sep 04, 2015: Same vulnerability once again discovered in NextGen Gallery 2.1.10 version.
Sep 09, 2015: Same vulnerability exists in NextGen Gallery 2.1.15 version.
Sep 14, 2015: Reported multiple XSS on version 2.1.15 directly to the Photocrati vendor and reminded the developer.

Discovered by

Cyber Security Works Pvt. Ltd.


  • Affected VendorImagely
  • Bug NameReflected Cross-Site Scripting (XSS)
  • CVE NumberCVE-2015-9229
  • CWE IDCWE - 79
  • CSW ID2015-CSW-09-1004
  • CVSSv3 Score4.8
  • Affected Version2.1.15
  • SeverityMedium
  • Affected ProductNextGEN Gallery
fb icon twitter icon insta icon

Talk to CSW’s team of experts to secure your landscape.