Closed plegall closed 4 years ago
CVE-2020-9468 reported by Zak S.
Further, a malicious user can modify the value of the 'image_id' parameter to any existing image id. There are no access controls to prevent a user from manipulating information on images that are in albums to which they do not have access.
Fixed on https://github.com/plegall/Piwigo-community/commit/453c9d083dd76d6948d95d70d253fe58aa0e0648#diff-f6b85d15e4b70dbdd9e81f457d9df695L267
CVE-2020-9468 reported by Zak S.