CVE-2025-62512 Scanner

Piwigo is a widely used open-source photo gallery application that enables users to manage and share photo albums on the web. Developed for both individual users and organizations, Piwigo serves as a powerful platform for hosting image collections. Its user-friendly interface and customization options make it a popular choice among photographers and web developers. With features supporting plugins and themes, Piwigo is often utilized by those seeking a flexible and scalable solution for photo management online. Its deployment covers a variety of scales, from personal blogs to large-scale photo sharing networks. Due to its open-source nature, it relies on community contributions for updates and security improvements.

The user enumeration vulnerability detected in this version of Piwigo allows unauthenticated attackers to determine whether a given username or email address exists in the system via the password reset functionality. The specific flaw stems from distinct messages returned for valid versus invalid accounts by the username or email verification process. This type of weakness is often exploited by attackers to gather intelligence for further, more targeted attacks against a system. The assessed severity reflects the risk of such exposure aiding in breaching social engineering defenses or simplifying brute-force password attacks.

The technical details of the vulnerability lie within the endpoint password.php?action=lost, which manages password reset operations. By sending crafted requests to this endpoint, attackers can detect the existence of user accounts based on the responses. The vulnerable parameter is either the username or email address field, where distinct server responses indicate the presence of valid accounts. Such vulnerabilities often exploit insufficient input validation or inconsistent error message handling practices during user authentication processes.

Exploiting this vulnerability can have several adverse effects, primarily through enabling attackers to map out valid accounts on the system. A successful enumeration may lead to increased success rates for targeted phishing attacks and social engineering attempts aimed at the users identified. It may also facilitate credential-stuffing attacks at a later stage, given the availability of usernames or email addresses for brute force attempts. Moreover, this exposure weakens the anonymity of user accounts and can compromise subsequent privacy initiatives.

REFERENCES

• https://github.com/Piwigo/Piwigo/security/advisories/GHSA-h4wx-7m83-xfxc