WeddingShare is a selfhosted web application, which acts as a place for guests to view and drop pictures of the big day (e.g. your wedding, birthday party and so on).

During testing out WeddingShare, I've noticed a Cross-Site Scripting (XSS) vulnerabity in shared galleries. In detail, WeddingShare will ask guests to provide their name in order to subsequently know the user that uploaded an image. This name is later displayed again without sanitization, when an uploaded picture is inspected.

Successful exploitation allows for privilege escalation and may allow unauthenticated guests with knowledge of a gallery URL to target the website's administrator or other guests. User interaction is required though, as victims must actively preview an image with an XSS payload.

The issue was reported to the maintainer and promptly fixed in the new release v1.4.8.

[BUG] Stored Cross-site Scripting (XSS) · Issue #41 · Cirx08/WeddingShare
Description WeddingShare will ask a user for his name, which is later displayed once a media file was uploaded. However, the user input is not properly validated nor sanitized. An attacker who know…
GitHubCirx08