Piwigo Unauthenticated Information Disclosure Vulnerability in pwg.history.search API

A vulnerability in Piwigo's photo gallery application allows unauthenticated users to access the full browsing history of all gallery visitors. This issue exists in versions prior to 16.3.0, where the pwg.history.search API method was not restricted to admin users. The lack of authentication checks enables unauthorized access to sensitive user data, including IP addresses, usernames, user IDs, and detailed browsing and download histories.

Impact

Exploitation of this vulnerability leads to unauthorized access to private user information and activity within the gallery, constituting a significant privacy breach.

Reproduction

The vulnerability can be reproduced by calling the pwg.history.search API method via a network request. This can be done without any authentication, and the method can be accessed directly or by filtering for specific users or IP addresses.

Remediation

Users can upgrade to Piwigo version 16.3.0 or later, where this vulnerability has been patched.