HTB23085: Piwigo multiple vulnerabilities (Directory Path Traversal, XSS)

Piwigo version 2.3.3 suffers from a Directory Path Traversal and cross-site scripting (XSS) vulnerabilities:
1. Directory Path Traversal: Input passed via the "language" GET parameter to "upgrade.php" is vulnerable to directory path traversal.
2. Cross-site scripting (XSS): Input passed via the "section", "installstatus", "theme" GET-parameters to "admin.php" are not properly sanitised before being returned to the user.

Vulnerability ID: HTB23085
Vendor Notification / Patch / Public Disclosure Dates: 4 April / 8 April / 25 April
Vulnerabilities Type: Directory Path Traversal, Cross-Site Scripting (XSS)
Risk level: Medium
Solution Status: Fixed by Vendor, Upgrade to Piwigo 2.3.4