Vulnerabilites related to piwigo - piwigo
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99349 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99349 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5D356328-15B0-4402-94E6-8C16E09EB088", versionEndIncluding: "2.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.", }, { lang: "es", value: "Vulnerabilidad Cross-Site Request Forgery (CSRF) en Piwigo hasta la versión 2.9.1 permite que atacantes remotos secuestren la autenticación de usuarios para peticiones para cambiar un álbum privado a público mediante una petición manipulada.", }, ], id: "CVE-2017-10680", lastModified: "2024-11-21T03:06:17.087", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-29T21:29:00.267", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/99349", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "cve@mitre.org", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/99349", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-01-03 06:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95202 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95202 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251", versionEndIncluding: "2.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.", }, { lang: "es", value: "admin/plugin.php en Piwigo hasta la versión 2.8.3 no valida el variable de secciones al usarlo para incluir archivos. Esto puede provocar la divulgación de información y la ejecución de código si contiene una secuencia .. .", }, ], id: "CVE-2016-10105", lastModified: "2024-11-21T02:43:19.020", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-01-03T06:59:00.137", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/95202", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/95202", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, { lang: "es", value: "La API List Users de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro sSortDir_0 en /admin/user_list_backend.php. Un atacante puede explotarlo para obtener acceso a la información en una base de datos MySQL conectada.", }, ], id: "CVE-2017-17822", lastModified: "2024-11-21T03:18:45.133", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.260", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/823", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/823", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-21 17:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1157 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1157 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*", matchCriteriaId: "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, { lang: "es", value: "Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en el archivo /admin.php?page=tags de Piwigo versión 2.10.1, permite a atacantes ejecutar scripts web o HTML arbitrarios", }, ], id: "CVE-2020-22148", lastModified: "2024-11-21T05:13:06.920", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-21T17:15:08.123", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1157", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1157", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-14 13:15
Modified
2024-11-21 06:24
Severity ?
Summary
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1476 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1476 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B6BC6DF8-D938-4413-B4C7-132BCC938E68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.", }, { lang: "es", value: "En Piwigo versión 11.5.0, se presenta una vulnerabilidad de tipo cross-site scripting persistente en la función de modo único mediante /admin.php?page=batch_manager&mode=unit", }, ], id: "CVE-2021-40678", lastModified: "2024-11-21T06:24:33.500", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-14T13:15:07.937", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1476", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1476", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-10 18:15
Modified
2024-11-21 06:32
Severity ?
Summary
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1582 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1582 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "BDC77171-712D-461F-83B8-953EB077F285", versionEndIncluding: "12.1.0", versionStartIncluding: "12.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.", }, { lang: "es", value: "Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Piwigo versión 12.x, por medio de la función pwg_activity en el archivo include/functions.inc.php", }, ], id: "CVE-2021-45357", lastModified: "2024-11-21T06:32:08.013", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-10T18:15:08.383", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1582", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1582", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-01-28 18:59
Modified
2024-11-21 03:27
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.6 | Release Notes, Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/95848 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/600 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.6 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95848 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/600 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "6B6B020F-0D8F-4DCB-A443-6A1398E0B3DA", versionEndIncluding: "2.8.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.", }, { lang: "es", value: "Vulnerabilidad XSS en la función de carga de imágenes en Piwigo en versiones anteriores a 2.8.6 permite a un atacantes inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de archivo de imagen manipulado.", }, ], id: "CVE-2017-5608", lastModified: "2024-11-21T03:27:59.880", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-01-28T18:59:00.133", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.6", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95848", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/600", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95848", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/600", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-18 23:15
Modified
2024-11-21 06:53
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*", matchCriteriaId: "81C2A86F-D640-455A-915C-B187ECB741AC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.", }, { lang: "es", value: "Se ha detectado que Piwigo versión v12.2.0, contiene un filtrado de información por medio del parámetro action en el archivo /admin/maintenance_actions.php", }, ], id: "CVE-2022-26267", lastModified: "2024-11-21T06:53:40.217", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-18T23:15:07.870", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-306", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1910 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1910 | Exploit, Issue Tracking, Patch |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:13.6.0:-:*:*:*:*:*:*", matchCriteriaId: "C0F29243-1953-4593-9D93-65BAF0D5D0EB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.", }, ], id: "CVE-2023-33361", lastModified: "2025-01-31T16:15:30.407", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-05-23T14:15:09.863", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/1910", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/1910", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-06-15 16:15
Modified
2024-11-21 08:07
Severity ?
Summary
Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1924 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1924 | Exploit, Issue Tracking, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "B4B9AEE3-C9C5-4D20-BA38-9E5A2A64FABD", versionEndIncluding: "13.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 13.7.0 is vulnerable to SQL Injection via the \"Users\" function.", }, ], id: "CVE-2023-34626", lastModified: "2024-11-21T08:07:27.927", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-06-15T16:15:09.347", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1924", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1924", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-18 23:15
Modified
2024-11-21 06:53
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*", matchCriteriaId: "81C2A86F-D640-455A-915C-B187ECB741AC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.", }, { lang: "es", value: "Se ha detectado que Piwigo versión v12.2.0, contiene una vulnerabilidad de inyección SQL por medio del archivo pwg.users.php", }, ], id: "CVE-2022-26266", lastModified: "2024-11-21T06:53:40.080", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-18T23:15:07.833", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-02-03 16:59
Modified
2024-11-21 02:25
Severity ?
Summary
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/forum/viewtopic.php?id=25016 | Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.5.6 | Patch, Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.6.5 | Patch, Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.7.3 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/62606 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/72400 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/forum/viewtopic.php?id=25016 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.5.6 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.6.5 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.7.3 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/62606 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/72400 |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "61D5A594-379F-42FF-BC3E-01793AE929FE", versionEndIncluding: "2.5.5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "B95C9758-4EE5-4690-8EDF-575907C3A15A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*", matchCriteriaId: "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.4:*:*:*:*:*:*:*", matchCriteriaId: "6EDF6D0E-33DD-483C-996F-D6159A744BA8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*", matchCriteriaId: "533214A7-83F9-49E1-BF53-DA53E5AE2F82", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:beta2:*:*:*:*:*:*", matchCriteriaId: "92705F58-8812-43D0-A35E-5695A60BBD0A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:rc1:*:*:*:*:*:*", matchCriteriaId: "BBB74696-421F-4414-BB75-996107E2A12B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:rc2:*:*:*:*:*:*", matchCriteriaId: "41B4D40F-2571-4729-BBF6-1014C7A3DC0C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.1:*:*:*:*:*:*:*", matchCriteriaId: "5C68DAF3-6C49-438A-881B-A261B267C55A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.2:*:*:*:*:*:*:*", matchCriteriaId: "5E0A6114-5FC1-41C2-8F89-9EE6B76E5E0F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.", }, { lang: "es", value: "Vulnerabilidad de SQL en Piwigo anterior a 2.5.6, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados.", }, ], id: "CVE-2015-1441", lastModified: "2024-11-21T02:25:25.993", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-02-03T16:59:26.563", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25016", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.5.6", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.6.5", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.3", }, { source: "cve@mitre.org", url: "http://secunia.com/advisories/62606", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/72400", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25016", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.5.6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.6.5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://secunia.com/advisories/62606", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/72400", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-13 20:55
Modified
2024-11-21 01:49
Severity ?
Summary
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "C317128C-7749-4BE1-A7D3-88CAB5BE6F67", versionEndIncluding: "2.4.6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", matchCriteriaId: "D245F2A4-676D-478F-8D0F-E183CF52E656", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "2E349A00-60C3-426A-B6AA-B940B60B28F4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9D724AA1-B057-409F-ABCA-064586771118", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "38A03451-C199-44DD-A4ED-298B50193FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", matchCriteriaId: "752561BC-D824-4264-8697-DD9DE88F7D53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "615E6F3A-162D-42F6-A537-442E9ED0B385", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", matchCriteriaId: "36F26A2A-2175-4665-ACA5-A417A665B662", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", matchCriteriaId: "A2D17AE0-823E-41EC-A282-10103975E792", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "E99613B2-BF99-4A44-9240-9720A17206A1", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", matchCriteriaId: "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B899A695-73BA-4459-86E4-E96E12FB4CA2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", matchCriteriaId: "7081BEAD-39F5-48EC-B13F-81073D7C4C2C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", matchCriteriaId: "EAC7628A-2083-41A2-8621-DACD3F769C53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "5D565B05-80D5-400A-ADBB-8DE393798D7E", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", matchCriteriaId: "7F7623DB-E676-41B3-A15D-6769BF7E230D", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", matchCriteriaId: "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "03BBE4F6-35E8-4935-B657-651D3D822890", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", matchCriteriaId: "6A62DCAD-3C28-4595-9095-90DBA3944BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", matchCriteriaId: "0064F204-3F3F-4E32-8104-A15ECC8464D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*", matchCriteriaId: "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "C19CE4F7-2033-44E7-BBD2-70D451692E37", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", matchCriteriaId: "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", matchCriteriaId: "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", matchCriteriaId: "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", matchCriteriaId: "FC5D9559-C2C7-405E-8874-47B227D3CF1F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E0E85CC3-7B91-4ABE-A011-7167339F8EB6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "608D7317-53DE-4CAB-B396-3C7A6C6B418F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*", matchCriteriaId: "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", matchCriteriaId: "7024F414-7E9A-4FD9-9B34-EB0A5D820E87", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", matchCriteriaId: "068DE0CF-6D52-434D-A118-4D346014B07F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "F816C962-4FC3-4763-96BB-15EB27B367D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "BD204EAB-344D-4569-BB17-3E7C2A5EA92A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CBCC5440-AD21-47F4-BE33-898302981AC0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", matchCriteriaId: "96AC8E7D-5718-42F6-9829-59996D18EDFB", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", matchCriteriaId: "A58D540A-4786-411D-AF4F-020120AA65A2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", matchCriteriaId: "7F55F438-AF9D-405C-A1E6-758DE74EFC65", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "03F4C388-E6B2-40C5-8C3C-DDD80D619F27", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "EED818B6-30DE-46C6-B240-FC9B5E5C6A78", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "3F1B61AB-ECE7-4E89-9059-2066F08F67AD", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", matchCriteriaId: "BB10D77F-38E8-4164-A651-399DFB6A4AD5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", matchCriteriaId: "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", matchCriteriaId: "F79451CF-562C-4DC1-B03F-7FA354E6C36C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", matchCriteriaId: "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", matchCriteriaId: "F8474722-3819-418E-9C7E-FADC5EEE3D58", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*", matchCriteriaId: "C33A514B-739F-4A78-A868-19860A2F4BCA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.", }, { lang: "es", value: "Vulnerabilidad de salto de directorio en install.php en Piwigo anterior a v2.4.7 que permite a atacantes remotos leer y eliminar ficheros arbitrarios a través de .. (punto punto) en el parámetro dl.", }, ], id: "CVE-2013-1469", lastModified: "2024-11-21T01:49:39.627", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:P", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2013-03-13T20:55:02.750", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { source: "cve@mitre.org", url: "http://piwigo.org/bugs/view.php?id=0002843", }, { source: "cve@mitre.org", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { source: "cve@mitre.org", url: "http://piwigo.org/releases/2.4.7", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/24561", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/view.php?id=0002843", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/releases/2.4.7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/24561", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23144", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-02 19:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1352 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1352 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "CE6825BB-C574-480F-92B6-5A7D8E70BFD9", versionEndExcluding: "11.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.", }, { lang: "es", value: "Una inyección SQL se presenta en Piwigo versiones anteriores a 11.4.0, por medio del parámetro language en admin.php?page=languages.", }, ], id: "CVE-2021-27973", lastModified: "2024-11-21T05:58:56.550", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-02T19:15:20.880", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1352", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1352", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-12 13:15
Modified
2024-11-21 08:38
Severity ?
Summary
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/AdminTools/issues/21 | Exploit, Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/2069 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/AdminTools/issues/21 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/2069 | Exploit, Issue Tracking, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:14.0.0:*:*:*:*:*:*:*", matchCriteriaId: "DF997677-CC8C-40D2-BAA6-EF1374DC731F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.", }, { lang: "es", value: "Vulnerabilidad de Cross Site Scripting en piwigo v.14.0.0 permite a un atacante remoto obtener información confidencial a través del parámetro lang en el componente del complemento Herramientas de Administrador.", }, ], id: "CVE-2023-51790", lastModified: "2024-11-21T08:38:48.780", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-12T13:15:11.733", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/AdminTools/issues/21", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/2069", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/AdminTools/issues/21", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Vendor Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/2069", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-28 20:15
Modified
2024-11-21 02:50
Severity ?
Summary
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "294E7F72-0D7D-4B0C-B05E-B58EFB07CF35", versionEndExcluding: "2.8.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.", }, { lang: "es", value: "Piwigo es un software de galería de imágenes escrito en PHP. Cuando no es cumplido un criterio en un host, piwigo usa por defecto mt_rand para generar tokens de restablecimiento de contraseña. La salida de mt_rand puede predecirse tras recuperar la semilla usada para generarla. Esto permite a un atacante no autenticado hacerse con una cuenta siempre que conozca la dirección de correo electrónico del administrador para poder solicitar el restablecimiento de la contraseña", }, ], id: "CVE-2016-3735", lastModified: "2024-11-21T02:50:36.240", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-01-28T20:15:08.437", references: [ { source: "secalert@redhat.com", url: "http://piwigo.org/release-2.8.1%2C", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d", }, { source: "secalert@redhat.com", url: "https://github.com/Piwigo/Piwigo/issues/470%2C", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/release-2.8.1%2C", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://github.com/Piwigo/Piwigo/issues/470%2C", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-335", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-335", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99383 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99383 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5D356328-15B0-4402-94E6-8C16E09EB088", versionEndIncluding: "2.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.", }, { lang: "es", value: "Vulnerabilidad Cross-Site Request Forgery (CSRF) en Piwigo hasta la versión 2.9.1 permite que atacantes remotos secuestren la autenticación de usuarios para peticiones que eliminan vínculos permanentes mediante una petición manipulada.", }, ], id: "CVE-2017-10678", lastModified: "2024-11-21T03:06:16.783", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-29T21:29:00.190", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/99383", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "cve@mitre.org", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/99383", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-11-20 19:30
Modified
2024-11-21 01:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.0.6 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/37336 | Vendor Advisory | |
| cve@mitre.org | http://www.vupen.com/english/advisories/2009/3221 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.0.6 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/37336 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.vupen.com/english/advisories/2009/3221 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "CCD22CE7-3A0A-48C3-95EB-C9DB3745EAC2", versionEndIncluding: "2.0.5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", }, { lang: "es", value: "Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados(XSS) en Piwigo antes de v2.0.6 permite a atacantes remotos inyectar HTML o scripts web a través de vectores no especificados.", }, ], id: "CVE-2009-4039", lastModified: "2024-11-21T01:08:47.807", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2009-11-20T19:30:00.920", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.0.6", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37336", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3221", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.0.6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37336", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3221", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2013-03-14 03:13
Modified
2024-11-21 01:49
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "C317128C-7749-4BE1-A7D3-88CAB5BE6F67", versionEndIncluding: "2.4.6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", matchCriteriaId: "D245F2A4-676D-478F-8D0F-E183CF52E656", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "2E349A00-60C3-426A-B6AA-B940B60B28F4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9D724AA1-B057-409F-ABCA-064586771118", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "38A03451-C199-44DD-A4ED-298B50193FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", matchCriteriaId: "752561BC-D824-4264-8697-DD9DE88F7D53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "615E6F3A-162D-42F6-A537-442E9ED0B385", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", matchCriteriaId: "36F26A2A-2175-4665-ACA5-A417A665B662", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", matchCriteriaId: "A2D17AE0-823E-41EC-A282-10103975E792", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "E99613B2-BF99-4A44-9240-9720A17206A1", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", matchCriteriaId: "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B899A695-73BA-4459-86E4-E96E12FB4CA2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", matchCriteriaId: "7081BEAD-39F5-48EC-B13F-81073D7C4C2C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", matchCriteriaId: "EAC7628A-2083-41A2-8621-DACD3F769C53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "5D565B05-80D5-400A-ADBB-8DE393798D7E", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", matchCriteriaId: "7F7623DB-E676-41B3-A15D-6769BF7E230D", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", matchCriteriaId: "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "03BBE4F6-35E8-4935-B657-651D3D822890", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", matchCriteriaId: "6A62DCAD-3C28-4595-9095-90DBA3944BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", matchCriteriaId: "0064F204-3F3F-4E32-8104-A15ECC8464D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*", matchCriteriaId: "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "C19CE4F7-2033-44E7-BBD2-70D451692E37", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", matchCriteriaId: "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", matchCriteriaId: "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", matchCriteriaId: "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", matchCriteriaId: "FC5D9559-C2C7-405E-8874-47B227D3CF1F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E0E85CC3-7B91-4ABE-A011-7167339F8EB6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "608D7317-53DE-4CAB-B396-3C7A6C6B418F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*", matchCriteriaId: "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", matchCriteriaId: "7024F414-7E9A-4FD9-9B34-EB0A5D820E87", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", matchCriteriaId: "068DE0CF-6D52-434D-A118-4D346014B07F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "F816C962-4FC3-4763-96BB-15EB27B367D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "BD204EAB-344D-4569-BB17-3E7C2A5EA92A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CBCC5440-AD21-47F4-BE33-898302981AC0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", matchCriteriaId: "96AC8E7D-5718-42F6-9829-59996D18EDFB", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", matchCriteriaId: "A58D540A-4786-411D-AF4F-020120AA65A2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", matchCriteriaId: "7F55F438-AF9D-405C-A1E6-758DE74EFC65", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "03F4C388-E6B2-40C5-8C3C-DDD80D619F27", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "EED818B6-30DE-46C6-B240-FC9B5E5C6A78", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "3F1B61AB-ECE7-4E89-9059-2066F08F67AD", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", matchCriteriaId: "BB10D77F-38E8-4164-A651-399DFB6A4AD5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", matchCriteriaId: "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", matchCriteriaId: "F79451CF-562C-4DC1-B03F-7FA354E6C36C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", matchCriteriaId: "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", matchCriteriaId: "F8474722-3819-418E-9C7E-FADC5EEE3D58", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*", matchCriteriaId: "C33A514B-739F-4A78-A868-19860A2F4BCA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.", }, { lang: "es", value: "Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean ficheros arbitrarios PHP a través de vectores sin especificar.", }, ], id: "CVE-2013-1468", lastModified: "2024-11-21T01:49:39.463", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 7.6, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:H/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2013-03-14T03:13:32.660", references: [ { source: "cve@mitre.org", url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { source: "cve@mitre.org", url: "http://piwigo.org/bugs/view.php?id=0002844", }, { source: "cve@mitre.org", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { source: "cve@mitre.org", url: "http://piwigo.org/releases/2.4.7", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/52228", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/24561", }, { source: "cve@mitre.org", url: "http://www.osvdb.org/90504", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/view.php?id=0002844", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/releases/2.4.7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/52228", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/24561", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.osvdb.org/90504", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23144", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-01 17:29
Modified
2024-11-21 03:17
Severity ?
Summary
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/804 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/804 | Issue Tracking |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "A17106BD-7461-4A08-AFAC-E79CFC54268C", versionEndIncluding: "2.9.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.", }, { lang: "es", value: "La aplicación Piwigo se ve afectada por una vulnerabilidad de inyección SQL en la versión 2.9.2 y posiblemente en las anteriores. Esta vulnerabilidad permite que los atacantes remotos autenticados obtengan información en el contexto del usuario utilizado por la aplicación para recuperar datos de la base de datos. tags.php se ve afectado: los valores de los parámetros edit_list no están sanitizados; se utilizan para construir una consulta SQL y recuperar una lista de usuarios registrados en la aplicación.", }, ], id: "CVE-2017-16893", lastModified: "2024-11-21T03:17:11.427", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-01T17:29:00.543", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues/804", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues/804", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.", }, { lang: "es", value: "Piwigo 2.9.2 es vulnerable a Cross-Site Request Forgery (CSRF) mediante /admin.php?page=configurationsection=main o /admin.php?page=batch_managermode=unit. Un atacante puede explotarlo para forzar a un usuario admin para que realice acciones no esperadas.", }, ], id: "CVE-2017-17827", lastModified: "2024-11-21T03:18:45.917", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.463", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-08-17 18:55
Modified
2024-11-21 02:09
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "0C894787-1ED6-405E-957E-25FEB65F0955", versionEndIncluding: "2.6.3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "B95C9758-4EE5-4690-8EDF-575907C3A15A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.", }, { lang: "es", value: "Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo associate[], una vulnerabilidad diferente a CVE-2014-4649.", }, ], id: "CVE-2014-3900", lastModified: "2024-11-21T02:09:05.297", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2014-08-17T18:55:01.747", references: [ { source: "vultures@jpcert.or.jp", url: "http://jvn.jp/en/jp/JVN09717399/index.html", }, { source: "vultures@jpcert.or.jp", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093", }, { source: "vultures@jpcert.or.jp", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { source: "vultures@jpcert.or.jp", url: "http://piwigo.org/dev/changeset/28678", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://jvn.jp/en/jp/JVN09717399/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/dev/changeset/28678", }, ], sourceIdentifier: "vultures@jpcert.or.jp", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1009 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1009 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.", }, { lang: "es", value: "Una vulnerabilidad de inyección SQL en el archivo admin/group_list.php en piwigo versión v2.9.5, por medio del parámetro group to delete", }, ], id: "CVE-2020-19212", lastModified: "2024-11-21T05:09:02.110", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-06T14:15:08.217", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1009", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1009", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-06-28 15:55
Modified
2024-11-21 02:10
Severity ?
Summary
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "B95C9758-4EE5-4690-8EDF-575907C3A15A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*", matchCriteriaId: "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*", matchCriteriaId: "533214A7-83F9-49E1-BF53-DA53E5AE2F82", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en el subsistema photo-edit en Piwigo 2.6.x y 2.7.x anterior a 2.7.0beta2 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del campo associate[].", }, ], id: "CVE-2014-4649", lastModified: "2024-11-21T02:10:38.290", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-06-28T15:55:08.240", references: [ { source: "cve@mitre.org", url: "http://piwigo.org/bugs/changelog_page.php", }, { source: "cve@mitre.org", url: "http://piwigo.org/bugs/view.php?id=3089", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/changelog_page.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/view.php?id=3089", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-02-24 16:29
Modified
2024-11-21 04:11
Severity ?
Summary
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/839 | Third Party Advisory | |
| cve@mitre.org | https://pastebin.com/tPebQFy4 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/839 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pastebin.com/tPebQFy4 | Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5EECFD6C-9D78-4947-98DC-6A068A48DEE6", versionEndExcluding: "2.9.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.", }, { lang: "es", value: "Piwigo, en versiones anteriores a la 2.9.3, tiene inyección SQL en admin/tags.php en el panel de administración mediante el parámetro tags del array en una petición admin.php?page=tags. El atacante debe ser un administrador.", }, ], id: "CVE-2018-6883", lastModified: "2024-11-21T04:11:21.867", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-02-24T16:29:00.223", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/839", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://pastebin.com/tPebQFy4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/839", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://pastebin.com/tPebQFy4", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-03-26 20:15
Modified
2024-11-21 05:40
Severity ?
Summary
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/plegall/Piwigo-community/issues/49 | Patch, Third Party Advisory | |
| cve@mitre.org | https://piwigo.org/ext/extension_view.php?eid=303 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/plegall/Piwigo-community/issues/49 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://piwigo.org/ext/extension_view.php?eid=303 | Release Notes |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.0:e-beta:*:*:*:*:*:*", matchCriteriaId: "43076B11-9615-4DB5-9C54-7105AD92F0AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.", }, { lang: "es", value: "El plugin Community versión 2.9.e-beta para Piwigo, permite a usuarios establecer información de imagen sobre imágenes en álbumes para los que no tienen permiso, al manipular el parámetro image_id.", }, ], id: "CVE-2020-9468", lastModified: "2024-11-21T05:40:42.457", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-03-26T20:15:11.473", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/plegall/Piwigo-community/issues/49", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://piwigo.org/ext/extension_view.php?eid=303", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/plegall/Piwigo-community/issues/49", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://piwigo.org/ext/extension_view.php?eid=303", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-639", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95167 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95167 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251", versionEndIncluding: "2.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.", }, { lang: "es", value: "admin/languages.php en Piwigo hasta la versión 2.8.3 permite a administradores remotos autenticados llevar a cabo ataques File Inclusion a través del parámetro tab.", }, ], id: "CVE-2016-10085", lastModified: "2024-11-21T02:43:16.120", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-12-30T07:59:00.270", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95167", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95167", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-12-23 11:59
Modified
2024-11-21 02:20
Severity ?
Summary
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "61D5A594-379F-42FF-BC3E-01793AE929FE", versionEndIncluding: "2.5.5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "B95C9758-4EE5-4690-8EDF-575907C3A15A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*", matchCriteriaId: "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "9088607E-D33B-4058-A816-47981DBB86CC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*", matchCriteriaId: "533214A7-83F9-49E1-BF53-DA53E5AE2F82", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:beta2:*:*:*:*:*:*", matchCriteriaId: "92705F58-8812-43D0-A35E-5695A60BBD0A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:rc1:*:*:*:*:*:*", matchCriteriaId: "BBB74696-421F-4414-BB75-996107E2A12B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.0:rc2:*:*:*:*:*:*", matchCriteriaId: "41B4D40F-2571-4729-BBF6-1014C7A3DC0C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.7.1:*:*:*:*:*:*:*", matchCriteriaId: "5C68DAF3-6C49-438A-881B-A261B267C55A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en la función rate_picture en include/functions_rate.inc.php en Piwigo anterior a 2.5.5, 2.6.x anterior a 2.6.4, and 2.7.x anterior a 2.7.2 permite a atacantes remotos ejecutar sentencias SQL a través del parámetro de valoración a picture.php, debido a una comparación de un valor no numérico que empiece con un dígito.", }, ], id: "CVE-2014-9115", lastModified: "2024-11-21T02:20:14.463", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-12-23T11:59:04.110", references: [ { source: "cve@mitre.org", url: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=24850", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://piwigo.org/releases/2.7.2", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://seclists.org/fulldisclosure/2014/Nov/23", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=24850", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://piwigo.org/releases/2.7.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://seclists.org/fulldisclosure/2014/Nov/23", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95166 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/575 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95166 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/575 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251", versionEndIncluding: "2.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.", }, { lang: "es", value: "Vulnerabilidad de XSS en admin/plugin.php en Piwigo hasta la versión 2.8.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de archivo manipulado que se maneja de manera incorrecta en un cierto caso de error.", }, ], id: "CVE-2016-10083", lastModified: "2024-11-21T02:43:15.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-12-30T07:59:00.190", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95166", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/575", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95166", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/575", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, { lang: "es", value: "El componente Batch Manager de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante los parámetros de array tags-* en una petición admin.php?page=batch_managermode=unit. Un atacante puede explotarlo para secuestrar el navegador de un cliente junto con los datos almacenados en él.", }, ], id: "CVE-2017-17825", lastModified: "2024-11-21T03:18:45.593", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.7, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.400", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-04-21 15:15
Modified
2025-02-04 22:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "DC474569-D3BC-4BAF-B1AD-FDA7A1DF3E4B", versionEndIncluding: "13.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.", }, ], id: "CVE-2023-26876", lastModified: "2025-02-04T22:15:39.600", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-04-21T15:15:07.160", references: [ { source: "cve@mitre.org", url: "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html", }, { source: "cve@mitre.org", url: "http://seclists.org/fulldisclosure/2023/Apr/13", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://piwigo.com", }, { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "https://www.tempest.com.br", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://seclists.org/fulldisclosure/2023/Apr/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://piwigo.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "https://www.tempest.com.br", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2010-05-04 16:00
Modified
2024-11-21 01:15
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| piwigo | piwigo | * | |
| piwigo | piwigo | 1.0.0 | |
| piwigo | piwigo | 1.0.1 | |
| piwigo | piwigo | 1.0.2 | |
| piwigo | piwigo | 1.1.0 | |
| piwigo | piwigo | 1.2.0 | |
| piwigo | piwigo | 1.2.1 | |
| piwigo | piwigo | 1.3.0 | |
| piwigo | piwigo | 1.3.1 | |
| piwigo | piwigo | 1.3.2 | |
| piwigo | piwigo | 1.3.3 | |
| piwigo | piwigo | 1.3.4 | |
| piwigo | piwigo | 1.4.0 | |
| piwigo | piwigo | 1.4.1 | |
| piwigo | piwigo | 1.5.0 | |
| piwigo | piwigo | 1.5.1 | |
| piwigo | piwigo | 1.5.2 | |
| piwigo | piwigo | 1.6.0 | |
| piwigo | piwigo | 1.6.1 | |
| piwigo | piwigo | 1.6.2 | |
| piwigo | piwigo | 1.7.0 | |
| piwigo | piwigo | 1.7.1 | |
| piwigo | piwigo | 1.7.2 | |
| piwigo | piwigo | 1.7.3 | |
| piwigo | piwigo | 2.0.0 | |
| piwigo | piwigo | 2.0.1 | |
| piwigo | piwigo | 2.0.2 | |
| piwigo | piwigo | 2.0.3 | |
| piwigo | piwigo | 2.0.4 | |
| piwigo | piwigo | 2.0.5 | |
| piwigo | piwigo | 2.0.6 | |
| piwigo | piwigo | 2.0.7 | |
| piwigo | piwigo | 2.0.8 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "828D4A04-FE5F-4A3F-931C-9AF139D59B26", versionEndIncluding: "2.0.9", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", matchCriteriaId: "D245F2A4-676D-478F-8D0F-E183CF52E656", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "2E349A00-60C3-426A-B6AA-B940B60B28F4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9D724AA1-B057-409F-ABCA-064586771118", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "38A03451-C199-44DD-A4ED-298B50193FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", matchCriteriaId: "752561BC-D824-4264-8697-DD9DE88F7D53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "615E6F3A-162D-42F6-A537-442E9ED0B385", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", matchCriteriaId: "36F26A2A-2175-4665-ACA5-A417A665B662", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", matchCriteriaId: "A2D17AE0-823E-41EC-A282-10103975E792", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "E99613B2-BF99-4A44-9240-9720A17206A1", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", matchCriteriaId: "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B899A695-73BA-4459-86E4-E96E12FB4CA2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", matchCriteriaId: "7081BEAD-39F5-48EC-B13F-81073D7C4C2C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", matchCriteriaId: "EAC7628A-2083-41A2-8621-DACD3F769C53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "5D565B05-80D5-400A-ADBB-8DE393798D7E", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", matchCriteriaId: "7F7623DB-E676-41B3-A15D-6769BF7E230D", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", matchCriteriaId: "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "03BBE4F6-35E8-4935-B657-651D3D822890", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", matchCriteriaId: "6A62DCAD-3C28-4595-9095-90DBA3944BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", matchCriteriaId: "0064F204-3F3F-4E32-8104-A15ECC8464D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "C19CE4F7-2033-44E7-BBD2-70D451692E37", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", matchCriteriaId: "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", matchCriteriaId: "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.", }, { lang: "es", value: "Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en register.php en Piwigo v2.0.9 y anteriores, permiten a atacantes remotos inyectar código web o HTML de su elección a través de los parámetros (1) login y (2) mail_address.", }, ], id: "CVE-2010-1707", lastModified: "2024-11-21T01:15:01.030", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2010-05-04T16:00:35.807", references: [ { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2010/1034", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2010/1034", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-07-21 17:15
Modified
2024-11-21 05:13
Severity ?
Summary
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1158 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1158 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*", matchCriteriaId: "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, { lang: "es", value: "Una vulnerabilidad de tipo cross site scripting (XSS) en el archivo /admin.php?page=permalinks de Piwigo versión 2.10.1 permite a atacantes ejecutar scripts web o HTML arbitrarios", }, ], id: "CVE-2020-22150", lastModified: "2024-11-21T05:13:07.060", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-07-21T17:15:08.167", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1158", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1158", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1012 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1012 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.", }, { lang: "es", value: "Una vulnerabilidad de inyección SQL en el archivo admin/batch_manager.php en piwigo versión v2.9.5, por medio del parámetro filter_category en admin.php?page=batch_manager", }, ], id: "CVE-2020-19217", lastModified: "2024-11-21T05:09:02.727", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-06T14:15:08.407", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1012", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1012", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-24 15:15
Modified
2024-11-21 06:50
Severity ?
Summary
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1605 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1605 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*", matchCriteriaId: "81C2A86F-D640-455A-915C-B187ECB741AC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.", }, { lang: "es", value: "Piwigo versión 12.2.0, es vulnerable a un ataque de tipo cross-site scripting (XSS) almacenado, que puede conllevar a una escalada de privilegios. De este modo, el administrador puede robar las cookies del webmaster para conseguir su acceso", }, ], id: "CVE-2022-24620", lastModified: "2024-11-21T06:50:45.863", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-24T15:15:29.830", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1605", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1605", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-08-14 05:01
Modified
2024-11-21 02:05
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| piwigo | piwigo | * | |
| piwigo | piwigo | 2.0.0 | |
| piwigo | piwigo | 2.0.1 | |
| piwigo | piwigo | 2.0.2 | |
| piwigo | piwigo | 2.0.3 | |
| piwigo | piwigo | 2.0.4 | |
| piwigo | piwigo | 2.0.5 | |
| piwigo | piwigo | 2.0.6 | |
| piwigo | piwigo | 2.0.7 | |
| piwigo | piwigo | 2.0.8 | |
| piwigo | piwigo | 2.0.9 | |
| piwigo | piwigo | 2.0.10 | |
| piwigo | piwigo | 2.1.0 | |
| piwigo | piwigo | 2.1.1 | |
| piwigo | piwigo | 2.1.2 | |
| piwigo | piwigo | 2.1.3 | |
| piwigo | piwigo | 2.1.4 | |
| piwigo | piwigo | 2.1.5 | |
| piwigo | piwigo | 2.1.6 | |
| piwigo | piwigo | 2.2.0 | |
| piwigo | piwigo | 2.2.1 | |
| piwigo | piwigo | 2.2.2 | |
| piwigo | piwigo | 2.2.3 | |
| piwigo | piwigo | 2.2.4 | |
| piwigo | piwigo | 2.2.5 | |
| piwigo | piwigo | 2.3.0 | |
| piwigo | piwigo | 2.3.1 | |
| piwigo | piwigo | 2.3.2 | |
| piwigo | piwigo | 2.3.3 | |
| piwigo | piwigo | 2.3.4 | |
| piwigo | piwigo | 2.3.5 | |
| piwigo | piwigo | 2.4.0 | |
| piwigo | piwigo | 2.4.1 | |
| piwigo | piwigo | 2.4.2 | |
| piwigo | piwigo | 2.4.3 | |
| piwigo | piwigo | 2.4.4 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "12270F64-8B72-4D5B-912B-D65D1FCA904C", versionEndIncluding: "2.4.5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "C19CE4F7-2033-44E7-BBD2-70D451692E37", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", matchCriteriaId: "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", matchCriteriaId: "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", matchCriteriaId: "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", matchCriteriaId: "FC5D9559-C2C7-405E-8874-47B227D3CF1F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E0E85CC3-7B91-4ABE-A011-7167339F8EB6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "608D7317-53DE-4CAB-B396-3C7A6C6B418F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*", matchCriteriaId: "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", matchCriteriaId: "7024F414-7E9A-4FD9-9B34-EB0A5D820E87", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", matchCriteriaId: "068DE0CF-6D52-434D-A118-4D346014B07F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "F816C962-4FC3-4763-96BB-15EB27B367D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "BD204EAB-344D-4569-BB17-3E7C2A5EA92A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CBCC5440-AD21-47F4-BE33-898302981AC0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", matchCriteriaId: "96AC8E7D-5718-42F6-9829-59996D18EDFB", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", matchCriteriaId: "A58D540A-4786-411D-AF4F-020120AA65A2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", matchCriteriaId: "7F55F438-AF9D-405C-A1E6-758DE74EFC65", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "03F4C388-E6B2-40C5-8C3C-DDD80D619F27", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "EED818B6-30DE-46C6-B240-FC9B5E5C6A78", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "3F1B61AB-ECE7-4E89-9059-2066F08F67AD", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", matchCriteriaId: "BB10D77F-38E8-4164-A651-399DFB6A4AD5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", matchCriteriaId: "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", matchCriteriaId: "F79451CF-562C-4DC1-B03F-7FA354E6C36C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", matchCriteriaId: "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", matchCriteriaId: "F8474722-3819-418E-9C7E-FADC5EEE3D58", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.", }, { lang: "es", value: "Vulnerabilidad de XSS en include/functions_metadata.inc.php en Piwigo anterior a 2.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo Make en los metadatos IPTC Exif dentro de un imagen subido al plugin Community.", }, ], id: "CVE-2014-1980", lastModified: "2024-11-21T02:05:23.923", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2014-08-14T05:01:49.490", references: [ { source: "vultures@jpcert.or.jp", url: "http://jvn.jp/en/jp/JVN80310172/index.html", }, { source: "vultures@jpcert.or.jp", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092", }, { source: "vultures@jpcert.or.jp", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=2805", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://jvn.jp/en/jp/JVN80310172/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=2805", }, ], sourceIdentifier: "vultures@jpcert.or.jp", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-14 19:29
Modified
2024-11-21 03:36
Severity ?
Summary
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/706 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/706 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "1931608C-2835-4E94-AC78-CCBB6C9EC9E5", versionEndIncluding: "2.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated.", }, { lang: "es", value: "Una vulnerabilidad de Redireccionamiento Abierto está presente en Piwigo versión 2.9 y anteriores, lo que permite a los atacantes remotos redireccionar a los usuarios a sitios web arbitrarios y conducir ataques de phishing. El componente del archivo identification.php se ve afectado por este problema: el parámetro \"redirect\" no es comprobado.", }, ], id: "CVE-2017-9464", lastModified: "2024-11-21T03:36:11.313", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-14T19:29:00.247", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/706", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/706", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-601", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-07-02 20:55
Modified
2024-11-21 02:10
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "6ED8EF7D-FCE9-4A5A-A8FA-5C25AD998F8F", versionEndIncluding: "2.6.1", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*", matchCriteriaId: "D245F2A4-676D-478F-8D0F-E183CF52E656", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "2E349A00-60C3-426A-B6AA-B940B60B28F4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "9D724AA1-B057-409F-ABCA-064586771118", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "38A03451-C199-44DD-A4ED-298B50193FA6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*", matchCriteriaId: "752561BC-D824-4264-8697-DD9DE88F7D53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "615E6F3A-162D-42F6-A537-442E9ED0B385", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*", matchCriteriaId: "36F26A2A-2175-4665-ACA5-A417A665B662", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*", matchCriteriaId: "A2D17AE0-823E-41EC-A282-10103975E792", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "E99613B2-BF99-4A44-9240-9720A17206A1", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*", matchCriteriaId: "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B899A695-73BA-4459-86E4-E96E12FB4CA2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*", matchCriteriaId: "7081BEAD-39F5-48EC-B13F-81073D7C4C2C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*", matchCriteriaId: "EAC7628A-2083-41A2-8621-DACD3F769C53", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "5D565B05-80D5-400A-ADBB-8DE393798D7E", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*", matchCriteriaId: "7F7623DB-E676-41B3-A15D-6769BF7E230D", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*", matchCriteriaId: "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*", matchCriteriaId: "03BBE4F6-35E8-4935-B657-651D3D822890", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*", matchCriteriaId: "6A62DCAD-3C28-4595-9095-90DBA3944BF4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*", matchCriteriaId: "0064F204-3F3F-4E32-8104-A15ECC8464D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*", matchCriteriaId: "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "37DF27D2-E4CB-4A49-8D42-F41ED29136C4", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "ABB57804-F8DA-4366-9B75-E5241D137352", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9C51558C-4DF9-4D62-A679-64361E584802", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*", matchCriteriaId: "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*", matchCriteriaId: "452E5E75-FD84-436E-A51B-793346A1456C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "C19CE4F7-2033-44E7-BBD2-70D451692E37", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*", matchCriteriaId: "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*", matchCriteriaId: "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*", matchCriteriaId: "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*", matchCriteriaId: "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*", matchCriteriaId: "FC5D9559-C2C7-405E-8874-47B227D3CF1F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E0E85CC3-7B91-4ABE-A011-7167339F8EB6", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "608D7317-53DE-4CAB-B396-3C7A6C6B418F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*", matchCriteriaId: "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", matchCriteriaId: "7024F414-7E9A-4FD9-9B34-EB0A5D820E87", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*", matchCriteriaId: "068DE0CF-6D52-434D-A118-4D346014B07F", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "F816C962-4FC3-4763-96BB-15EB27B367D3", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "BD204EAB-344D-4569-BB17-3E7C2A5EA92A", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CBCC5440-AD21-47F4-BE33-898302981AC0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*", matchCriteriaId: "96AC8E7D-5718-42F6-9829-59996D18EDFB", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*", matchCriteriaId: "A58D540A-4786-411D-AF4F-020120AA65A2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*", matchCriteriaId: "7F55F438-AF9D-405C-A1E6-758DE74EFC65", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "03F4C388-E6B2-40C5-8C3C-DDD80D619F27", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*", matchCriteriaId: "EED818B6-30DE-46C6-B240-FC9B5E5C6A78", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*", matchCriteriaId: "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*", matchCriteriaId: "3F1B61AB-ECE7-4E89-9059-2066F08F67AD", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*", matchCriteriaId: "BB10D77F-38E8-4164-A651-399DFB6A4AD5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*", matchCriteriaId: "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*", matchCriteriaId: "F79451CF-562C-4DC1-B03F-7FA354E6C36C", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*", matchCriteriaId: "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*", matchCriteriaId: "F8474722-3819-418E-9C7E-FADC5EEE3D58", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*", matchCriteriaId: "C33A514B-739F-4A78-A868-19860A2F4BCA", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.6:*:*:*:*:*:*:*", matchCriteriaId: "805F6B66-405F-443F-AB57-21977AC959AF", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.4.7:*:*:*:*:*:*:*", matchCriteriaId: "DCEBB44F-F339-4933-B805-42A747C78BE5", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.5.0:*:*:*:*:*:*:*", matchCriteriaId: "3D95AB43-2C76-424A-8D0B-2575D9367033", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.", }, { lang: "es", value: "Múltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que utilizan el método (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove.", }, ], id: "CVE-2014-4614", lastModified: "2024-11-21T02:10:34.343", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2014-07-02T20:55:06.877", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { source: "cve@mitre.org", url: "http://piwigo.org/releases/2.6.2", }, { source: "cve@mitre.org", url: "http://seclists.org/oss-sec/2014/q2/623", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/releases/2.6.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://seclists.org/oss-sec/2014/q2/623", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-13 23:15
Modified
2024-11-21 06:07
Severity ?
Summary
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1410 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1410 | Exploit, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.4.0:*:*:*:*:*:*:*", matchCriteriaId: "B9E1456D-0916-4CBB-BE90-A5AE7E099A38", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.", }, { lang: "es", value: "Piwigo versión 11.4.0 permite la inyección SQL en admin/user_list_backend.php order[0][dir].", }, ], id: "CVE-2021-32615", lastModified: "2024-11-21T06:07:23.113", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-13T23:15:07.337", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", }, { source: "cve@mitre.org", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1410", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1410", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-12-02 18:15
Modified
2024-11-21 01:43
Severity ?
Summary
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "53E98B96-1C2D-48D9-A110-39FFA4F26D6D", versionEndIncluding: "2.4.3", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)", }, { lang: "es", value: "piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php (una solución incompleta para CVE-2012-4525).", }, ], id: "CVE-2012-4526", lastModified: "2024-11-21T01:43:03.807", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-12-02T18:15:09.927", references: [ { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/55710", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "https://access.redhat.com/security/cve/cve-2012-4526", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4526", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/55710", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "https://access.redhat.com/security/cve/cve-2012-4526", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4526", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-24 15:29
Modified
2024-11-21 03:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/716 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/716 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.1:*:*:*:*:*:*:*", matchCriteriaId: "76057820-1B0F-4F8C-95C5-DA070CCE5623", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).", }, { lang: "es", value: "Vulnerabilidad Cross-site Scripting (XSS en Piwigo 2.9.1 permite a un administrador autentificado remoto inyectar un script arbitrario o código HTML mediante el parámetro virtual_name a /admin.php (p.e, crear un álbum virtual)", }, ], id: "CVE-2017-9836", lastModified: "2024-11-21T03:36:57.317", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.7, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-24T15:29:00.173", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/716", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/716", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*", matchCriteriaId: "F28058B1-07D1-458C-8AC2-C2914FE4516F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, { lang: "es", value: "El panel de gestión en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro name en una petición /admin.php?page=photo-${photo_number}. Podría ser posible la explotación de CSRF, relacionada con CVE-2017-10681.", }, ], id: "CVE-2018-7724", lastModified: "2024-11-21T04:12:36.470", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-03-06T17:29:00.433", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-05-17 20:15
Modified
2025-01-22 20:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1872 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1872 | Release Notes |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "86097A18-F13B-45AC-B24B-5A879C3A2DE2", versionEndExcluding: "13.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.", }, ], id: "CVE-2023-27233", lastModified: "2025-01-22T20:15:29.997", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-05-17T20:15:09.933", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "https://github.com/Piwigo/Piwigo/issues/1872", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://github.com/Piwigo/Piwigo/issues/1872", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-28 17:15
Modified
2024-11-21 06:24
Severity ?
Summary
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Yang9999999/vuln/blob/main/README.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Yang9999999/vuln/blob/main/README.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B6BC6DF8-D938-4413-B4C7-132BCC938E68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.", }, { lang: "es", value: "piwigo versión 11.5.0, está afectado por una vulnerabilidad de ejecución de código remota (RCE) en el Editor de Archivos Locales", }, ], id: "CVE-2021-40553", lastModified: "2024-11-21T06:24:22.163", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-28T17:15:07.887", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Yang9999999/vuln/blob/main/README.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Yang9999999/vuln/blob/main/README.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-07-14 20:15
Modified
2024-11-21 07:06
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "21D29051-50D8-4327-9D21-9459F6949EEA", versionEndIncluding: "12.2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.", }, { lang: "es", value: "Se ha detectado que Piwigo versión v12.2.0, contiene una vulnerabilidad de inyección SQL por medio de la función Search", }, ], id: "CVE-2022-32297", lastModified: "2024-11-21T07:06:07.900", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5.1, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-07-14T20:15:08.620", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, { lang: "es", value: "El componente Configuration de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante el parámetro gallery_title en una petición admin.php?page=configurationsection=main. Un atacante puede explotarlo para secuestrar el navegador de un cliente junto con los datos almacenados en él.", }, ], id: "CVE-2017-17826", lastModified: "2024-11-21T03:18:45.737", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.430", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-06 21:15
Modified
2024-11-21 06:23
Severity ?
Summary
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1469 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1469 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B6BC6DF8-D938-4413-B4C7-132BCC938E68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.", }, { lang: "es", value: "Se ha detectado que Piwigo versión v11.5, contiene una vulnerabilidad de inyección SQL por medio del parámetro pwg_token en el archivo /admin/batch_manager_global.php", }, ], id: "CVE-2021-40313", lastModified: "2024-11-21T06:23:51.027", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-06T21:15:07.867", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1469", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1469", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-14 19:29
Modified
2024-11-21 03:36
Severity ?
Summary
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/705 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/705 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "1931608C-2835-4E94-AC78-CCBB6C9EC9E5", versionEndIncluding: "2.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.", }, { lang: "es", value: "La aplicación Piwigo esta afectada por una vulnerabilidad de inyección SQL en la versión 2.9.0 y posiblemente anteriores. Esta vulnerabilidad permite a los atacantes identificados remotos obtener información en el contexto del usuario usado por la aplicación para recuperar datos de la base de datos. El componente del archivo user_list_backend.php se ve afectado: los valores de los parámetros iDisplayStart y iDisplayLength no son saneados; estos se utilizan para construir una consulta SQL y recuperar una lista de usuarios registrados en la aplicación.", }, ], id: "CVE-2017-9463", lastModified: "2024-11-21T03:36:11.160", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-14T19:29:00.200", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/705", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/705", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, { lang: "es", value: "El componente Configuration de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro de array order_by en admin/configuration.php. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada.", }, ], id: "CVE-2017-17823", lastModified: "2024-11-21T03:18:45.290", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.307", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/826", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/826", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-08-21 20:30
Modified
2024-11-21 01:06
Severity ?
Summary
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "9931524C-ECD8-40DA-969D-94BF21DB7075", versionEndIncluding: "2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en Piwigo en versiones anteriores a 2.0.3 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro \"items_number\".", }, ], id: "CVE-2009-2933", lastModified: "2024-11-21T01:06:05.787", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2009-08-21T20:30:00.437", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/36333", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/archive/1/505801/100/0/threaded", }, { source: "cve@mitre.org", tags: [ "URL Repurposed", ], url: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/36333", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/505801/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "URL Repurposed", ], url: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1911 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1911 | Exploit, Issue Tracking, Patch |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:13.6.0:*:*:*:*:*:*:*", matchCriteriaId: "B279DE47-F1F5-4BB9-A47B-1C9B73DD9076", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to SQL Injection via in the \"profile\" function.", }, ], id: "CVE-2023-33362", lastModified: "2025-01-31T16:15:30.560", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-05-23T14:15:09.917", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/1911", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/1911", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-20 03:29
Modified
2024-11-21 03:18
Severity ?
Summary
admin/configuration.php in Piwigo 2.9.2 has CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/822 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/822 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin/configuration.php in Piwigo 2.9.2 has CSRF.", }, { lang: "es", value: "admin/configuration.php en Piwigo 2.9.2 tiene una vulnerabilidad Cross-Site Request Forgery (CSRF).", }, ], id: "CVE-2017-17774", lastModified: "2024-11-21T03:18:38.080", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-20T03:29:00.207", references: [ { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-31 18:15
Modified
2024-11-21 07:14
Severity ?
Summary
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | Exploit, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | Exploit, Release Notes, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:12.3.0:*:*:*:*:*:*:*", matchCriteriaId: "216D5A08-DD04-4FF9-B4A7-95BD8FE8D39E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.", }, { lang: "es", value: "Piwigo versión 12.3.0, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) por medio de /search/1940/created-monthly-list", }, ], id: "CVE-2022-37183", lastModified: "2024-11-21T07:14:34.633", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-31T18:15:08.657", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Release Notes", "Third Party Advisory", ], url: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Release Notes", "Third Party Advisory", ], url: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-14 22:55
Modified
2024-11-21 01:38
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E9FA2940-9F57-469B-BFEE-5499A87C4394", versionEndIncluding: "2.3.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.", }, { lang: "es", value: "Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en admin.php en Piwigo antes de v2.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro 'section' en el módulo de configuración, (2) el parámetro InstallStatus en el módulo languages_new, o (3) el parámetro 'theme' en el módulo 'theme'.\r\n", }, ], id: "CVE-2012-2209", lastModified: "2024-11-21T01:38:42.513", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2012-08-14T22:55:01.847", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, { source: "cve@mitre.org", url: "http://piwigo.org/bugs/view.php?id=2607", }, { source: "cve@mitre.org", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { source: "cve@mitre.org", url: "http://piwigo.org/releases/2.3.4", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/48903", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/18782", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/53245", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23085", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/view.php?id=2607", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/releases/2.3.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/48903", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/18782", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/53245", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "https://www.htbridge.com/advisory/HTB23085", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:26
Severity ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E2C56A23-6191-4B62-82F3-35527976E603", versionEndIncluding: "2.7.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en el backend administrativo en Piwigo en versiones anteriores a 2.7.4 permite a administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro user en la página del historial a admin.php.", }, ], id: "CVE-2015-2035", lastModified: "2024-11-21T02:26:37.757", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-02-20T16:59:07.397", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "cve@mitre.org", tags: [ "Patch", "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { source: "cve@mitre.org", tags: [ "Not Applicable", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/72689", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/72689", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95164 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95164 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251", versionEndIncluding: "2.8.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).", }, { lang: "es", value: "admin/batch_manager.php en Piwigo hasta la versión 2.8.3 permite a administradores remotos autenticados llevar a cabo ataques File Inclusion a través de la variable $page['tab'] (también conocido como el parámetro mode).", }, ], id: "CVE-2016-10084", lastModified: "2024-11-21T02:43:15.977", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-12-30T07:59:00.237", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95164", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/95164", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-12-02 18:15
Modified
2024-11-21 01:43
Severity ?
Summary
piwigo has XSS in password.php
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "53E98B96-1C2D-48D9-A110-39FFA4F26D6D", versionEndIncluding: "2.4.3", versionStartIncluding: "2.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*", matchCriteriaId: "700425A6-CAF3-4ED5-8517-40FDB2450E49", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "piwigo has XSS in password.php", }, { lang: "es", value: "piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php.", }, ], id: "CVE-2012-4525", lastModified: "2024-11-21T01:43:03.690", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-12-02T18:15:09.850", references: [ { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/55710", }, { source: "secalert@redhat.com", tags: [ "Broken Link", ], url: "https://access.redhat.com/security/cve/cve-2012-4525", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4525", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/55710", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "https://access.redhat.com/security/cve/cve-2012-4525", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4525", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-09-13 13:15
Modified
2024-11-21 04:24
Severity ?
Summary
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.", }, { lang: "es", value: "admin.php?page=notify_by_mail en Piwigo versión 2.9.5 presenta una vulnerabilidad de tipo XSS por medio del parámetro nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, o param_submit. Esto es explotable por medio de un ataque de tipo CSRF.", }, ], id: "CVE-2019-13363", lastModified: "2024-11-21T04:24:47.990", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-09-13T13:15:11.367", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Product", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://piwigo.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Product", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://piwigo.com", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-14 18:15
Modified
2024-11-21 06:25
Severity ?
Summary
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1477 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1477 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B6BC6DF8-D938-4413-B4C7-132BCC938E68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.", }, { lang: "es", value: "Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Piwigo versión 11.5.0, por medio del nombre del álbum del sistema y la descripción de la ubicación", }, ], id: "CVE-2021-40882", lastModified: "2024-11-21T06:25:00.240", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-14T18:15:08.490", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1477", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1477", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-03-26 20:15
Modified
2024-11-21 05:40
Severity ?
Summary
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1168 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1168 | Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*", matchCriteriaId: "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.", }, { lang: "es", value: "Piwigo versión 2.10.1, presenta una vulnerabilidad de tipo XSS almacenado, por medio del parámetro file en una petición del archivo /ws.php debido a la función pwg.images.setInfo.", }, ], id: "CVE-2020-9467", lastModified: "2024-11-21T05:40:42.323", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-03-26T20:15:11.427", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1168", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1168", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-01-27 18:15
Modified
2024-11-21 07:32
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1835 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1835 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:13.4.0:*:*:*:*:*:*:*", matchCriteriaId: "D4CE9B7C-3D2B-4876-B8E3-5EE46628EA5C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.", }, { lang: "es", value: "Una vulnerabilidad de cross-site scripting (XSS) almacenado en identification.php de Piwigo v13.4.0 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el User-Agent.", }, ], id: "CVE-2022-48007", lastModified: "2024-11-21T07:32:41.230", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-01-27T18:15:14.947", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1835", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1835", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-26 13:15
Modified
2024-11-21 06:23
Severity ?
Summary
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1470 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1470 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B6BC6DF8-D938-4413-B4C7-132BCC938E68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.", }, { lang: "es", value: "Piwigo versión 11.5.0, está afectado por una vulnerabilidad de inyección SQL por medio del archivo admin.php y el parámetro id", }, ], id: "CVE-2021-40317", lastModified: "2024-11-21T06:23:51.197", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-26T13:15:08.083", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1470", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1470", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 18:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1908 | Exploit, Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1908 | Exploit, Issue Tracking |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:13.6.0:*:*:*:*:*:*:*", matchCriteriaId: "B279DE47-F1F5-4BB9-A47B-1C9B73DD9076", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the \"add tags\" function.", }, ], id: "CVE-2023-33359", lastModified: "2025-01-31T18:15:33.103", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-05-23T14:15:09.813", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues/1908", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues/1908", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-352", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-01-14 04:29
Modified
2024-11-21 04:09
Severity ?
Summary
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.vulnerability-lab.com/get_content.php?id=2005 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vulnerability-lab.com/get_content.php?id=2005 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.8.2:*:*:*:*:*:*:*", matchCriteriaId: "5962E3BE-9644-4CD6-9BD1-9BEA4CD53B35", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.", }, { lang: "es", value: "Piwigo v2.8.2 tiene XSS mediante los parámetros \"tab\", \"to\", \"section\", \"mode\", \"installstatus\" y \"display\" del archivo \"admin.php\".", }, ], id: "CVE-2018-5692", lastModified: "2024-11-21T04:09:10.900", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-01-14T04:29:00.317", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.vulnerability-lab.com/get_content.php?id=2005", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.vulnerability-lab.com/get_content.php?id=2005", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2014-06-28 15:55
Modified
2024-11-21 02:10
Severity ?
Summary
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/forum/viewtopic.php?id=24009 | Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.6.3 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/forum/viewtopic.php?id=24009 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.6.3 | Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E25AF266-16C0-48AB-A69A-3DFDB3F26F0B", versionEndIncluding: "2.6.2", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "BE8F6745-8E09-4D58-B097-E1C62305B46B", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\"", }, { lang: "es", value: "Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un 'fallo de seguridad.'", }, ], id: "CVE-2014-4648", lastModified: "2024-11-21T02:10:38.157", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-06-28T15:55:08.177", references: [ { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=24009", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/releases/2.6.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=24009", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/releases/2.6.3", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-20 03:29
Modified
2024-11-21 03:18
Severity ?
Summary
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.", }, { lang: "es", value: "Piwigo tiene una vulnerabilidad de Cross-Site Scripting (XSS) mediante el parámetro name en una petición admin.php?page=album-3-properties.", }, ], id: "CVE-2017-17775", lastModified: "2024-11-21T03:18:38.227", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-20T03:29:00.257", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-09-13 13:15
Modified
2024-11-21 04:24
Severity ?
Summary
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.", }, { lang: "es", value: "admin.php?page=account_billing en Piwigo versión 2.9.5, presenta una vulnerabilidad de tipo XSS por medio del parámetro vat_number, billing_name, company, o billing_address. Esto es explotable por medio de un ataque de tipo CSRF.", }, ], id: "CVE-2019-13364", lastModified: "2024-11-21T04:24:48.147", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-09-13T13:15:11.447", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { source: "cve@mitre.org", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { source: "cve@mitre.org", tags: [ "Product", ], url: "https://piwigo.com", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://piwigo.com", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1010 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1010 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.", }, { lang: "es", value: "Una vulnerabilidad de inyección SQL en el archivo cat_move.php en piwigo versión v2.9.5, por medio del parámetro selection de move_categories", }, ], id: "CVE-2020-19213", lastModified: "2024-11-21T05:09:02.263", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-06T14:15:08.267", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1010", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1010", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*", matchCriteriaId: "F28058B1-07D1-458C-8AC2-C2914FE4516F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, { lang: "es", value: "El panel de gestión en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro virtual_name en una petición /admin.php?page=cat_list. Este problema es diferente de CVE-2017-9836. Podría ser posible la explotación de CSRF, relacionada con CVE-2017-10681.", }, ], id: "CVE-2018-7723", lastModified: "2024-11-21T04:12:36.340", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-03-06T17:29:00.370", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.", }, { lang: "es", value: "Una vulnerabilidad de inyección SQL en el archivo admin/user_perm.php en piwigo versión v2.9.5, por medio del parámetro cat_false en admin.php?page=group_perm", }, ], id: "CVE-2020-19216", lastModified: "2024-11-21T05:09:02.563", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-06T14:15:08.363", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.", }, { lang: "es", value: "Una vulnerabilidad de inyección SQL en el archivo admin/user_perm.php en piwigo versión v2.9.5, por medio del parámetro cat_false en admin.php?page=user_perm", }, ], id: "CVE-2020-19215", lastModified: "2024-11-21T05:09:02.420", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-06T14:15:08.313", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*", matchCriteriaId: "F28058B1-07D1-458C-8AC2-C2914FE4516F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, { lang: "es", value: "El panel de gestión en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro name en una petición /ws.php?format=json. Podría ser posible la explotación de CSRF, relacionada con CVE-2017-10681.", }, ], id: "CVE-2018-7722", lastModified: "2024-11-21T04:12:36.203", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-03-06T17:29:00.323", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2016-12-01 11:59
Modified
2024-11-21 03:01
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/94637 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/559 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94637 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/559 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.8.3:*:*:*:*:*:*:*", matchCriteriaId: "0EA2C805-ABFB-49A0-8291-3A5D4548907F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.", }, { lang: "es", value: "Vulnerabilidad de XSS en los resultados de búsqueda front end en Piwigo 2.8.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de búsqueda.", }, ], id: "CVE-2016-9751", lastModified: "2024-11-21T03:01:42.427", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-12-01T11:59:10.103", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/94637", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/559", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/94637", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/559", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-02-10 16:15
Modified
2024-11-21 05:38
Severity ?
Summary
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1150 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://piwigo.org/forum/viewforum.php?id=23 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1150 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://piwigo.org/forum/viewforum.php?id=23 | Release Notes, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*", matchCriteriaId: "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.", }, { lang: "es", value: "Piwigo versión 2.10.1, está afectado por una vulnerabilidad de tipo XSS almacenado por medio del Group Name Field en la página group_list.", }, ], id: "CVE-2020-8089", lastModified: "2024-11-21T05:38:16.767", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-02-10T16:15:14.267", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1150", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://piwigo.org/forum/viewforum.php?id=23", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/1150", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://piwigo.org/forum/viewforum.php?id=23", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-03-16 17:29
Modified
2024-11-21 02:10
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:-:*:*:*:*:*:*", matchCriteriaId: "DCB952C8-9539-4007-8FD8-08D790953876", versionEndExcluding: "2.6.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.", }, { lang: "es", value: "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el el panel de administración en versiones anteriores a la 2.6.2 en Piwigo permite que atacantes remotos secuestren la autenticación de administradores para peticiones que añadan usuarios mediante una acción pwg.users.add en una petición en ws.php.", }, ], id: "CVE-2014-4613", lastModified: "2024-11-21T02:10:34.187", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-03-16T17:29:00.287", references: [ { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://osvdb.org/show/osvdb/103774", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "http://piwigo.org/releases/2.6.2", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2014/q2/610", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://www.exploit-db.com/exploits/31916", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/65811", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://osvdb.org/show/osvdb/103774", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "http://piwigo.org/releases/2.6.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2014/q2/610", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://www.exploit-db.com/exploits/31916", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/65811", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-10-10 20:29
Modified
2024-11-21 02:44
Severity ?
Summary
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.3 | Patch, Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/547 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.3 | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/547 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "6A4BE149-A8CA-4C7D-9A2F-0ACAEEFB375A", versionEndIncluding: "2.8.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring.", }, { lang: "es", value: "url_check_format en include/functions.inc.php en Piwigo, en versiones anteriores a la 2.8.3, permite que atacantes remotos omitan las restricciones de acceso establecidas, mediante una URL que contiene un carácter \" (comillas) o una URL que empieza con una subcadena diferente de http:// o https://.", }, ], id: "CVE-2016-10514", lastModified: "2024-11-21T02:44:10.710", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-10-10T20:29:00.273", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.3", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/547", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/547", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-06 16:29
Modified
2024-11-21 03:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/667 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/667 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "1931608C-2835-4E94-AC78-CCBB6C9EC9E5", versionEndIncluding: "2.9.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.", }, { lang: "es", value: "La vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo admin.php en Piwigo versión 2.9.0 y anteriores, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro page.", }, ], id: "CVE-2017-9452", lastModified: "2024-11-21T03:36:09.873", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 1.7, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-06T16:29:00.297", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/667", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/667", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*", matchCriteriaId: "BB83CB5C-D31C-42B7-B011-72AE25409448", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, { lang: "es", value: "El componente Batch Manager de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro element_ids en admin/batch_manager_unit.php en modo unit. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada.", }, ], id: "CVE-2017-17824", lastModified: "2024-11-21T03:18:45.450", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-12-21T04:29:00.353", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/825", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/825", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-09 15:15
Modified
2024-11-21 08:25
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "A9A51DBC-EA76-4B8F-8DE6-7745C843A675", versionEndIncluding: "13.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:14.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "C56DF199-9F77-4651-B7C7-B592A9C65AF7", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:14.0.0:beta2:*:*:*:*:*:*", matchCriteriaId: "7CBD8ECB-841F-4C29-A7DF-72F5D2FBBC99", vulnerable: true, }, { criteria: "cpe:2.3:a:piwigo:piwigo:14.0.0:beta3:*:*:*:*:*:*", matchCriteriaId: "2AB2327B-CFBB-4863-BEC1-B92F0602AF3A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.", }, { lang: "es", value: "Piwigo es una aplicación de galería de fotografías de código abierto. Antes de la versión 14.0.0beta4, una vulnerabilidad de Cross-Site Scripting (XSS) reflejada se encuentra en la página ` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]`. Un atacante puede aprovechar esta vulnerabilidad para inyectar código HTML y JS malicioso en la página HTML, que luego los usuarios administradores podrían ejecutar cuando visiten la URL con el payload. La vulnerabilidad se debe a la inyección insegura del valor `plugin_id` de la URL en la página HTML. Un atacante puede aprovechar esta vulnerabilidad creando una URL maliciosa que contenga un valor \"plugin_id\" especialmente manipulado. Cuando una víctima que ha iniciado sesión como administrador visita esta URL, el código malicioso se inyectará en la página HTML y se ejecutará. Esta vulnerabilidad puede ser aprovechada por cualquier atacante que tenga acceso a una URL maliciosa. Sin embargo, sólo se ven afectados los usuarios que han iniciado sesión como administradores. Esto se debe a que la vulnerabilidad solo está presente en la página `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]`, a la que solo pueden acceder los administradores. La versión 14.0.0.beta4 contiene un parche para este problema.", }, ], id: "CVE-2023-44393", lastModified: "2024-11-21T08:25:48.623", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.3, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.8, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-09T15:15:10.057", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, { lang: "en", value: "CWE-80", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99380 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/723 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99380 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/723 | Issue Tracking, Patch, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5D356328-15B0-4402-94E6-8C16E09EB088", versionEndIncluding: "2.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.", }, { lang: "es", value: "Piwigo hasta la versión 2.9.1 permite que atacantes remotos obtengan información sensible sobre el nombre descriptivo de un vínculo permanente examinando la URL de redirección que se devuelve en una petición para el número de ID del vínculo permanente de un álbum privado. Los números de ID del vínculo permanente se adivinan fácilmente.", }, ], id: "CVE-2017-10679", lastModified: "2024-11-21T03:06:16.933", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-29T21:29:00.237", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/99380", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/723", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/99380", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/723", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99362 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99362 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5D356328-15B0-4402-94E6-8C16E09EB088", versionEndIncluding: "2.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.", }, { lang: "es", value: "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Piwigo hasta la versión 2.9.1 permite que atacantes remotos secuestren la autenticación de usuarios para peticiones que desbloquean álbumes mediante una petición manipulada.", }, ], id: "CVE-2017-10681", lastModified: "2024-11-21T03:06:17.247", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-29T21:29:00.297", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/99362", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "cve@mitre.org", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/99362", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:26
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E2C56A23-6191-4B62-82F3-35527976E603", versionEndIncluding: "2.7.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.", }, { lang: "es", value: "Vulnerabilidad de XSS en el backend administrativo en Piwigo anterior a 2.7.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro page en admin.php.", }, ], id: "CVE-2015-2034", lastModified: "2024-11-21T02:26:37.610", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2015-02-20T16:59:06.350", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/72690", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/72690", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-10-10 20:29
Modified
2024-11-21 02:44
Severity ?
Summary
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.3 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/548 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.3 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/548 | Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "6A4BE149-A8CA-4C7D-9A2F-0ACAEEFB375A", versionEndIncluding: "2.8.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.", }, { lang: "es", value: "Existe Cross-Site Scripting (XSS) en Piwigo en versiones anteriores a la 2.8.3 mediante una expresión de búsqueda manipulada en include/functions_search.inc.php.", }, ], id: "CVE-2016-10513", lastModified: "2024-11-21T02:44:10.577", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-10-10T20:29:00.210", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.3", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/548", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.8.3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/548", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-14 22:55
Modified
2024-11-21 01:38
Severity ?
Summary
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E9FA2940-9F57-469B-BFEE-5499A87C4394", versionEndIncluding: "2.3.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.", }, { lang: "es", value: "Vulnerabilidad de recorrido de directorio en upgrade.php en Piwigo antes de v2.3.4 permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en el parámetro labguage (idioma).\r\n", }, ], id: "CVE-2012-2208", lastModified: "2024-11-21T01:38:42.373", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-08-14T22:55:01.783", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, { source: "cve@mitre.org", url: "http://piwigo.org/bugs/view.php?id=2607", }, { source: "cve@mitre.org", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { source: "cve@mitre.org", url: "http://piwigo.org/releases/2.3.4", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/48903", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/18782", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/53245", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185", }, { source: "cve@mitre.org", url: "https://www.htbridge.com/advisory/HTB23085", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/bugs/view.php?id=2607", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://piwigo.org/releases/2.3.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/48903", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/18782", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/53245", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.htbridge.com/advisory/HTB23085", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "5D356328-15B0-4402-94E6-8C16E09EB088", versionEndIncluding: "2.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en el backend administrativo en Piwigo hasta la versión 2.9.2 permite que usuarios remotos ejecuten comandos SQL arbitrarios mediante los parámetros cat_false o cat_true en la página de comentarios o de estado en cat_options.php.", }, ], id: "CVE-2017-10682", lastModified: "2024-11-21T03:06:17.393", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-06-29T21:29:00.330", references: [ { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/99357", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/724", }, { source: "cve@mitre.org", url: "https://www.exploit-db.com/exploits/43337/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/99357", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/issues/724", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.exploit-db.com/exploits/43337/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2011-09-24 00:55
Modified
2024-11-21 01:31
Severity ?
Summary
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*", matchCriteriaId: "7024F414-7E9A-4FD9-9B34-EB0A5D820E87", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.", }, { lang: "es", value: "Piwigo v2.1.5 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con tools/metadata.php y algunos otros archivos.", }, ], id: "CVE-2011-3790", lastModified: "2024-11-21T01:31:16.233", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2011-09-24T00:55:02.833", references: [ { source: "cve@mitre.org", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", }, { source: "cve@mitre.org", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", }, { source: "cve@mitre.org", url: "http://www.openwall.com/lists/oss-security/2011/06/27/6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2011/06/27/6", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:25
Severity ?
Summary
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E2C56A23-6191-4B62-82F3-35527976E603", versionEndIncluding: "2.7.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en Piwigo anterior a 2.7.4, cuando todos los filtros están activados, permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_level en una acción 'Refresh photo set' en la página batch_manager en admin.php.", }, ], id: "CVE-2015-1517", lastModified: "2024-11-21T02:25:35.300", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-02-20T16:59:05.163", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/archive/1/534723/100/0/threaded", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/72664", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://piwigo.org/releases/2.7.4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/534723/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/72664", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-07 22:15
Modified
2024-11-21 08:11
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", matchCriteriaId: "E9188B4E-C34F-4967-8D30-2AE1AEB51C50", versionEndExcluding: "13.8.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.", }, ], id: "CVE-2023-37270", lastModified: "2024-11-21T08:11:21.770", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4.7, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-07T22:15:09.570", references: [ { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", }, { source: "security-advisories@github.com", tags: [ "Product", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", }, { source: "security-advisories@github.com", tags: [ "Release Notes", ], url: "https://piwigo.org/release-13.8.0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://piwigo.org/release-13.8.0", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
cve-2021-40313
Vulnerability from cvelistv5
Published
2021-12-06 20:22
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1469 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:27:31.911Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1469", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-06T20:22:58", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1469", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40313", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1469", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1469", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40313", datePublished: "2021-12-06T20:22:58", dateReserved: "2021-08-30T00:00:00", dateUpdated: "2024-08-04T02:27:31.911Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-9836
Vulnerability from cvelistv5
Published
2017-06-24 15:00
Modified
2024-09-16 17:09
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/716 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:18:02.235Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/716", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-06-24T15:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/716", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-9836", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/716", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/716", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-9836", datePublished: "2017-06-24T15:00:00Z", dateReserved: "2017-06-24T00:00:00Z", dateUpdated: "2024-09-16T17:09:04.217Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-40882
Vulnerability from cvelistv5
Published
2021-12-14 17:54
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1477 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:51:07.710Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1477", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-12-14T17:54:56", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1477", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40882", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1477", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1477", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40882", datePublished: "2021-12-14T17:54:56", dateReserved: "2021-09-13T00:00:00", dateUpdated: "2024-08-04T02:51:07.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-48007
Vulnerability from cvelistv5
Published
2023-01-27 00:00
Modified
2024-08-03 15:02
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T15:02:36.640Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1835", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-27T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/1835", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-48007", datePublished: "2023-01-27T00:00:00", dateReserved: "2022-12-29T00:00:00", dateUpdated: "2024-08-03T15:02:36.640Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-5692
Vulnerability from cvelistv5
Published
2018-01-14 04:00
Modified
2024-08-05 05:40
Severity ?
EPSS score ?
Summary
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vulnerability-lab.com/get_content.php?id=2005 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T05:40:51.246Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.vulnerability-lab.com/get_content.php?id=2005", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-01-13T00:00:00", descriptions: [ { lang: "en", value: "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-14T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.vulnerability-lab.com/get_content.php?id=2005", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-5692", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://www.vulnerability-lab.com/get_content.php?id=2005", refsource: "MISC", url: "https://www.vulnerability-lab.com/get_content.php?id=2005", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-5692", datePublished: "2018-01-14T04:00:00", dateReserved: "2018-01-13T00:00:00", dateUpdated: "2024-08-05T05:40:51.246Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-40317
Vulnerability from cvelistv5
Published
2022-05-26 12:04
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1470 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:27:31.908Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1470", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-26T12:04:52", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1470", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40317", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1470", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1470", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40317", datePublished: "2022-05-26T12:04:52", dateReserved: "2021-08-30T00:00:00", dateUpdated: "2024-08-04T02:27:31.908Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17826
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:18.107Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17826", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17826", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:18.107Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-10680
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99349 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:41:55.662Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "99349", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99349", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-29T00:00:00", descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-03T09:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "99349", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99349", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-10680", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "99349", refsource: "BID", url: "http://www.securityfocus.com/bid/99349", }, { name: "https://github.com/Piwigo/Piwigo/issues/721", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/721", }, { name: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-10680", datePublished: "2017-06-29T21:00:00", dateReserved: "2017-06-29T00:00:00", dateUpdated: "2024-08-05T17:41:55.662Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10105
Vulnerability from cvelistv5
Published
2017-01-03 06:34
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95202 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:07:32.182Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", }, { name: "95202", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/95202", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-01-02T00:00:00", descriptions: [ { lang: "en", value: "admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-04T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", }, { name: "95202", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/95202", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10105", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358", }, { name: "95202", refsource: "BID", url: "http://www.securityfocus.com/bid/95202", }, { name: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31", }, { name: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10105", datePublished: "2017-01-03T06:34:00", dateReserved: "2017-01-02T00:00:00", dateUpdated: "2024-08-06T03:07:32.182Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1468
Vulnerability from cvelistv5
Published
2013-03-12 16:00
Modified
2024-09-16 16:38
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=21470 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.4.7 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23144 | x_refsource_MISC | |
| http://secunia.com/advisories/52228 | third-party-advisory, x_refsource_SECUNIA | |
| http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/24561 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/bugs/view.php?id=0002844 | x_refsource_CONFIRM | |
| http://www.osvdb.org/90504 | vdb-entry, x_refsource_OSVDB | |
| http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html | mailing-list, x_refsource_BUGTRAQ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:04:49.005Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.4.7", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { name: "52228", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/52228", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/24561", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=0002844", }, { name: "90504", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://www.osvdb.org/90504", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-03-12T16:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.4.7", }, { tags: [ "x_refsource_MISC", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { name: "52228", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/52228", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/24561", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=0002844", }, { name: "90504", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://www.osvdb.org/90504", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2013-1468", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/forum/viewtopic.php?id=21470", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { name: "http://piwigo.org/releases/2.4.7", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.4.7", }, { name: "https://www.htbridge.com/advisory/HTB23144", refsource: "MISC", url: "https://www.htbridge.com/advisory/HTB23144", }, { name: "52228", refsource: "SECUNIA", url: "http://secunia.com/advisories/52228", }, { name: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/24561", }, { name: "http://piwigo.org/bugs/view.php?id=0002844", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=0002844", }, { name: "90504", refsource: "OSVDB", url: "http://www.osvdb.org/90504", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", refsource: "BUGTRAQ", url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2013-1468", datePublished: "2013-03-12T16:00:00Z", dateReserved: "2013-01-29T00:00:00Z", dateUpdated: "2024-09-16T16:38:45.778Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2208
Vulnerability from cvelistv5
Published
2012-08-14 22:00
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/18782 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/forum/viewtopic.php?id=19173 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23085 | x_refsource_MISC | |
| http://piwigo.org/releases/2.3.4 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75185 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/53245 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/48903 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/bugs/view.php?id=2607 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html | mailing-list, x_refsource_BUGTRAQ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:26:08.983Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "18782", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/18782", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.htbridge.com/advisory/HTB23085", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.3.4", }, { name: "piwigo-language-directory-traversal(75185)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185", }, { name: "53245", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/53245", }, { name: "48903", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/48903", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-04-08T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-08-28T12:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "18782", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/18782", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { tags: [ "x_refsource_MISC", ], url: "https://www.htbridge.com/advisory/HTB23085", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.3.4", }, { name: "piwigo-language-directory-traversal(75185)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185", }, { name: "53245", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/53245", }, { name: "48903", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/48903", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2012-2208", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "18782", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/18782", }, { name: "http://piwigo.org/forum/viewtopic.php?id=19173", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { name: "https://www.htbridge.com/advisory/HTB23085", refsource: "MISC", url: "https://www.htbridge.com/advisory/HTB23085", }, { name: "http://piwigo.org/releases/2.3.4", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.3.4", }, { name: "piwigo-language-directory-traversal(75185)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185", }, { name: "53245", refsource: "BID", url: "http://www.securityfocus.com/bid/53245", }, { name: "48903", refsource: "SECUNIA", url: "http://secunia.com/advisories/48903", }, { name: "http://piwigo.org/bugs/view.php?id=2607", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", refsource: "BUGTRAQ", url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2012-2208", datePublished: "2012-08-14T22:00:00", dateReserved: "2012-04-04T00:00:00", dateUpdated: "2024-08-06T19:26:08.983Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-24620
Vulnerability from cvelistv5
Published
2022-02-23 14:26
Modified
2024-08-03 04:13
Severity ?
EPSS score ?
Summary
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1605 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:13:57.004Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1605", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-23T14:26:24", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1605", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-24620", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1605", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1605", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-24620", datePublished: "2022-02-23T14:26:24", dateReserved: "2022-02-07T00:00:00", dateUpdated: "2024-08-03T04:13:57.004Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-1441
Vulnerability from cvelistv5
Published
2015-02-03 16:00
Modified
2024-08-06 04:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/releases/2.6.5 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/62606 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/releases/2.7.3 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25016 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/72400 | vdb-entry, x_refsource_BID | |
| http://piwigo.org/releases/2.5.6 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T04:40:18.705Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.6.5", }, { name: "62606", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/62606", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.7.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=25016", }, { name: "72400", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/72400", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.5.6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-01-09T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2015-02-03T15:57:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.6.5", }, { name: "62606", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/62606", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.7.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=25016", }, { name: "72400", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/72400", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.5.6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-1441", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/releases/2.6.5", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.6.5", }, { name: "62606", refsource: "SECUNIA", url: "http://secunia.com/advisories/62606", }, { name: "http://piwigo.org/releases/2.7.3", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.7.3", }, { name: "http://piwigo.org/forum/viewtopic.php?id=25016", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=25016", }, { name: "72400", refsource: "BID", url: "http://www.securityfocus.com/bid/72400", }, { name: "http://piwigo.org/releases/2.5.6", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.5.6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-1441", datePublished: "2015-02-03T16:00:00", dateReserved: "2015-01-31T00:00:00", dateUpdated: "2024-08-06T04:40:18.705Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-44393
Vulnerability from cvelistv5
Published
2023-10-09 14:52
Modified
2024-09-19 13:51
Severity ?
EPSS score ?
Summary
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:07:32.753Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", }, { name: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "piwigo", vendor: "piwigo", versions: [ { lessThan: "14.0.0beta4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-44393", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-19T13:38:37.063877Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-19T13:51:52.766Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Piwigo", vendor: "Piwigo", versions: [ { status: "affected", version: "< 14.0.0beta4", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.3, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-80", description: "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-09T14:52:42.879Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg", }, { name: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23", }, ], source: { advisory: "GHSA-qg85-957m-7vgg", discovery: "UNKNOWN", }, title: "Piwigo Reflected XSS vulnerability", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-44393", datePublished: "2023-10-09T14:52:42.879Z", dateReserved: "2023-09-28T17:56:32.614Z", dateUpdated: "2024-09-19T13:51:52.766Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-7723
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:31:05.147Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-03-06T00:00:00", descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-06T16:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-7723", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", refsource: "MISC", url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-7723", datePublished: "2018-03-06T17:00:00", dateReserved: "2018-03-06T00:00:00", dateUpdated: "2024-08-05T06:31:05.147Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-34626
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2024-12-18 16:14
Severity ?
EPSS score ?
Summary
Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:17:04.174Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1924", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-34626", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-12-18T16:14:36.399249Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-12-18T16:14:51.547Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 13.7.0 is vulnerable to SQL Injection via the \"Users\" function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-15T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/1924", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-34626", datePublished: "2023-06-15T00:00:00", dateReserved: "2023-06-07T00:00:00", dateUpdated: "2024-12-18T16:14:51.547Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-8089
Vulnerability from cvelistv5
Published
2020-02-10 15:12
Modified
2024-08-04 09:48
Severity ?
EPSS score ?
Summary
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.org/forum/viewforum.php?id=23 | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues/1150 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T09:48:25.487Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://piwigo.org/forum/viewforum.php?id=23", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1150", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-02-10T15:12:30", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://piwigo.org/forum/viewforum.php?id=23", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/1150", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-8089", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://piwigo.org/forum/viewforum.php?id=23", refsource: "MISC", url: "https://piwigo.org/forum/viewforum.php?id=23", }, { name: "https://github.com/Piwigo/Piwigo/issues/1150", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/1150", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-8089", datePublished: "2020-02-10T15:12:30", dateReserved: "2020-01-27T00:00:00", dateUpdated: "2024-08-04T09:48:25.487Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17774
Vulnerability from cvelistv5
Published
2017-12-20 03:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
admin/configuration.php in Piwigo 2.9.2 has CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues/822 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.686Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-19T00:00:00", descriptions: [ { lang: "en", value: "admin/configuration.php in Piwigo 2.9.2 has CSRF.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-20T03:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17774", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin/configuration.php in Piwigo 2.9.2 has CSRF.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", refsource: "MISC", url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, { name: "https://github.com/Piwigo/Piwigo/issues/822", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/822", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17774", datePublished: "2017-12-20T03:00:00", dateReserved: "2017-12-19T00:00:00", dateUpdated: "2024-08-05T20:59:17.686Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-10682
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/724 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/99357 | vdb-entry, x_refsource_BID | |
| https://www.exploit-db.com/exploits/43337/ | exploit, x_refsource_EXPLOIT-DB | |
| https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:41:55.513Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/724", }, { name: "99357", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99357", }, { name: "43337", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/43337/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-29T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-19T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/724", }, { name: "99357", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99357", }, { name: "43337", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/43337/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-10682", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/724", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/724", }, { name: "99357", refsource: "BID", url: "http://www.securityfocus.com/bid/99357", }, { name: "43337", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/43337/", }, { name: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-10682", datePublished: "2017-06-29T21:00:00", dateReserved: "2017-06-29T00:00:00", dateUpdated: "2024-08-05T17:41:55.513Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-37270
Vulnerability from cvelistv5
Published
2023-07-07 21:26
Modified
2024-10-18 18:37
Severity ?
EPSS score ?
Summary
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T17:09:34.105Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", }, { name: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", }, { name: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", }, { name: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", }, { name: "https://piwigo.org/release-13.8.0", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://piwigo.org/release-13.8.0", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "piwigo", vendor: "piwigo", versions: [ { lessThan: "13.8.0", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-37270", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-18T18:06:38.544954Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-18T18:37:52.526Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Piwigo", vendor: "Piwigo", versions: [ { status: "affected", version: "< 13.8.0", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-07T21:26:28.573Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx", }, { name: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a", }, { name: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491", }, { name: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621", }, { name: "https://piwigo.org/release-13.8.0", tags: [ "x_refsource_MISC", ], url: "https://piwigo.org/release-13.8.0", }, ], source: { advisory: "GHSA-934w-qj9p-3qcx", discovery: "UNKNOWN", }, title: "Piwigo SQL Injection vulnerability in \"User-Agent\"", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-37270", datePublished: "2023-07-07T21:26:28.573Z", dateReserved: "2023-06-29T19:35:26.439Z", dateUpdated: "2024-10-18T18:37:52.526Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-4526
Vulnerability from cvelistv5
Published
2019-12-02 17:48
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2013/02/11/1 | x_refsource_MISC | |
| https://security-tracker.debian.org/tracker/CVE-2012-4526 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-4526 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/55710 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2012/10/18/4 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:42:54.961Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4526", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://access.redhat.com/security/cve/cve-2012-4526", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.securityfocus.com/bid/55710", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "piwigo", vendor: "piwigo", versions: [ { status: "affected", version: "2.4.4", }, ], }, ], descriptions: [ { lang: "en", value: "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)", }, ], problemTypes: [ { descriptions: [ { description: "in password.php, incomplete fix for CVE-2012-4525", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-12-02T17:48:45", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { tags: [ "x_refsource_MISC", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4526", }, { tags: [ "x_refsource_MISC", ], url: "https://access.redhat.com/security/cve/cve-2012-4526", }, { tags: [ "x_refsource_MISC", ], url: "http://www.securityfocus.com/bid/55710", }, { tags: [ "x_refsource_MISC", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-4526", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "piwigo", version: { version_data: [ { version_value: "2.4.4", }, ], }, }, ], }, vendor_name: "piwigo", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "in password.php, incomplete fix for CVE-2012-4525", }, ], }, ], }, references: { reference_data: [ { name: "http://www.openwall.com/lists/oss-security/2013/02/11/1", refsource: "MISC", url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { name: "https://security-tracker.debian.org/tracker/CVE-2012-4526", refsource: "MISC", url: "https://security-tracker.debian.org/tracker/CVE-2012-4526", }, { name: "https://access.redhat.com/security/cve/cve-2012-4526", refsource: "MISC", url: "https://access.redhat.com/security/cve/cve-2012-4526", }, { name: "http://www.securityfocus.com/bid/55710", refsource: "MISC", url: "http://www.securityfocus.com/bid/55710", }, { name: "http://www.openwall.com/lists/oss-security/2012/10/18/4", refsource: "MISC", url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-4526", datePublished: "2019-12-02T17:48:45", dateReserved: "2012-08-21T00:00:00", dateUpdated: "2024-08-06T20:42:54.961Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-2034
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 05:02
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/72690 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2015/Feb/73 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM | |
| http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T05:02:43.269Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "72690", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/72690", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-02-17T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-11-28T20:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "72690", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/72690", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { tags: [ "x_refsource_MISC", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-2034", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", refsource: "MISC", url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "72690", refsource: "BID", url: "http://www.securityfocus.com/bid/72690", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { name: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { name: "http://piwigo.org/releases/2.7.4", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.7.4", }, { name: "http://piwigo.org/forum/viewtopic.php?id=25179", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { name: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", refsource: "MISC", url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-2034", datePublished: "2015-02-20T16:00:00", dateReserved: "2015-02-19T00:00:00", dateUpdated: "2024-08-06T05:02:43.269Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-10681
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99362 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:41:55.519Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "99362", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99362", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-29T00:00:00", descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-04T09:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "99362", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99362", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-10681", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "99362", refsource: "BID", url: "http://www.securityfocus.com/bid/99362", }, { name: "https://github.com/Piwigo/Piwigo/issues/721", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/721", }, { name: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-10681", datePublished: "2017-06-29T21:00:00", dateReserved: "2017-06-29T00:00:00", dateUpdated: "2024-08-05T17:41:55.519Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2013-1469
Vulnerability from cvelistv5
Published
2013-03-13 20:48
Modified
2024-09-17 02:42
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=21470 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.4.7 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23144 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/24561 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php | x_refsource_MISC | |
| http://piwigo.org/bugs/view.php?id=0002843 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html | mailing-list, x_refsource_BUGTRAQ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T15:04:48.799Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.4.7", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/24561", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=0002843", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2013-03-13T20:48:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.4.7", }, { tags: [ "x_refsource_MISC", ], url: "https://www.htbridge.com/advisory/HTB23144", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/24561", }, { tags: [ "x_refsource_MISC", ], url: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=0002843", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2013-1469", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/forum/viewtopic.php?id=21470", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=21470", }, { name: "http://piwigo.org/releases/2.4.7", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.4.7", }, { name: "https://www.htbridge.com/advisory/HTB23144", refsource: "MISC", url: "https://www.htbridge.com/advisory/HTB23144", }, { name: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html", }, { name: "24561", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/24561", }, { name: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", refsource: "MISC", url: "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php", }, { name: "http://piwigo.org/bugs/view.php?id=0002843", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=0002843", }, { name: "20130227 Multiple Vulnerabilities in Piwigo", refsource: "BUGTRAQ", url: "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2013-1469", datePublished: "2013-03-13T20:48:00Z", dateReserved: "2013-01-29T00:00:00Z", dateUpdated: "2024-09-17T02:42:20.049Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-3735
Vulnerability from cvelistv5
Published
2022-01-28 00:00
Modified
2024-08-06 00:03
Severity ?
EPSS score ?
Summary
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T00:03:34.506Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "http://piwigo.org/release-2.8.1%2C", }, { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/470%2C", }, { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Piwigo", vendor: "n/a", versions: [ { status: "affected", version: "piwigo < 2.8.1", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-335", description: "CWE-335", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-07T00:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "http://piwigo.org/release-2.8.1%2C", }, { url: "https://github.com/Piwigo/Piwigo/issues/470%2C", }, { url: "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-3735", datePublished: "2022-01-28T00:00:00", dateReserved: "2016-03-30T00:00:00", dateUpdated: "2024-08-06T00:03:34.506Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-9468
Vulnerability from cvelistv5
Published
2020-03-26 19:12
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.org/ext/extension_view.php?eid=303 | x_refsource_MISC | |
| https://github.com/plegall/Piwigo-community/issues/49 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T10:26:16.262Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://piwigo.org/ext/extension_view.php?eid=303", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/plegall/Piwigo-community/issues/49", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-03-26T19:12:15", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://piwigo.org/ext/extension_view.php?eid=303", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/plegall/Piwigo-community/issues/49", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-9468", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://piwigo.org/ext/extension_view.php?eid=303", refsource: "MISC", url: "https://piwigo.org/ext/extension_view.php?eid=303", }, { name: "https://github.com/plegall/Piwigo-community/issues/49", refsource: "MISC", url: "https://github.com/plegall/Piwigo-community/issues/49", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-9468", datePublished: "2020-03-26T19:12:15", dateReserved: "2020-02-28T00:00:00", dateUpdated: "2024-08-04T10:26:16.262Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10083
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/575 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95166 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:07:32.130Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/575", }, { name: "95166", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/95166", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-12-30T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-02T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/575", }, { name: "95166", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/95166", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10083", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7", }, { name: "https://github.com/Piwigo/Piwigo/issues/575", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/575", }, { name: "95166", refsource: "BID", url: "http://www.securityfocus.com/bid/95166", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10083", datePublished: "2016-12-30T07:08:00", dateReserved: "2016-12-30T00:00:00", dateUpdated: "2024-08-06T03:07:32.130Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17824
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.997Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/825", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/825", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17824", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { name: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c", }, { name: "https://github.com/Piwigo/Piwigo/issues/825", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/825", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17824", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:17.997Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-1980
Vulnerability from cvelistv5
Published
2014-08-14 01:00
Modified
2024-08-06 09:58
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN80310172/index.html | third-party-advisory, x_refsource_JVN | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092 | third-party-advisory, x_refsource_JVNDB | |
| http://piwigo.org/bugs/view.php?id=2805 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T09:58:15.564Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "JVN#80310172", tags: [ "third-party-advisory", "x_refsource_JVN", "x_transferred", ], url: "http://jvn.jp/en/jp/JVN80310172/index.html", }, { name: "JVNDB-2014-000092", tags: [ "third-party-advisory", "x_refsource_JVNDB", "x_transferred", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=2805", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-12-13T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-08-14T00:57:00", orgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", shortName: "jpcert", }, references: [ { name: "JVN#80310172", tags: [ "third-party-advisory", "x_refsource_JVN", ], url: "http://jvn.jp/en/jp/JVN80310172/index.html", }, { name: "JVNDB-2014-000092", tags: [ "third-party-advisory", "x_refsource_JVNDB", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=2805", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "vultures@jpcert.or.jp", ID: "CVE-2014-1980", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "JVN#80310172", refsource: "JVN", url: "http://jvn.jp/en/jp/JVN80310172/index.html", }, { name: "JVNDB-2014-000092", refsource: "JVNDB", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092", }, { name: "http://piwigo.org/bugs/view.php?id=2805", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=2805", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", assignerShortName: "jpcert", cveId: "CVE-2014-1980", datePublished: "2014-08-14T01:00:00", dateReserved: "2014-02-17T00:00:00", dateUpdated: "2024-08-06T09:58:15.564Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17827
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.924Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/822", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17827", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/822", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/822", }, { name: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f", }, { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17827", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:17.924Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-5608
Vulnerability from cvelistv5
Published
2017-01-28 18:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/600 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95848 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.6 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:04:15.355Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/600", }, { name: "95848", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/95848", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.8.6", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-01-28T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-31T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/600", }, { name: "95848", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/95848", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.8.6", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-5608", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/600", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/600", }, { name: "95848", refsource: "BID", url: "http://www.securityfocus.com/bid/95848", }, { name: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb", }, { name: "http://piwigo.org/releases/2.8.6", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.8.6", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-5608", datePublished: "2017-01-28T18:00:00", dateReserved: "2017-01-28T00:00:00", dateUpdated: "2024-08-05T15:04:15.355Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10085
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95167 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:07:32.142Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", }, { name: "95167", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/95167", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-12-30T00:00:00", descriptions: [ { lang: "en", value: "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-02T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", }, { name: "95167", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/95167", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10085", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558", }, { name: "95167", refsource: "BID", url: "http://www.securityfocus.com/bid/95167", }, { name: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10085", datePublished: "2016-12-30T07:08:00", dateReserved: "2016-12-30T00:00:00", dateUpdated: "2024-08-06T03:07:32.142Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-1517
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 04:47
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/72664 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/534723/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T04:47:16.749Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "72664", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/72664", }, { name: "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/534723/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-02-18T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-09T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "72664", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/72664", }, { name: "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/534723/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-1517", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "72664", refsource: "BID", url: "http://www.securityfocus.com/bid/72664", }, { name: "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/534723/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html", }, { name: "http://piwigo.org/releases/2.7.4", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.7.4", }, { name: "http://piwigo.org/forum/viewtopic.php?id=25179", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-1517", datePublished: "2015-02-20T16:00:00", dateReserved: "2015-02-06T00:00:00", dateUpdated: "2024-08-06T04:47:16.749Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-10679
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99380 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/723 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:41:55.552Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "99380", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99380", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/723", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-29T00:00:00", descriptions: [ { lang: "en", value: "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-05T09:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "99380", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99380", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/723", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-10679", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "99380", refsource: "BID", url: "http://www.securityfocus.com/bid/99380", }, { name: "https://github.com/Piwigo/Piwigo/issues/721", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/721", }, { name: "https://github.com/Piwigo/Piwigo/issues/723", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/723", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-10679", datePublished: "2017-06-29T21:00:00", dateReserved: "2017-06-29T00:00:00", dateUpdated: "2024-08-05T17:41:55.552Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-27973
Vulnerability from cvelistv5
Published
2021-04-02 18:19
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1352 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:33:17.015Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1352", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-30T16:06:22", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1352", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-27973", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1352", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1352", }, { name: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-27973", datePublished: "2021-04-02T18:19:28", dateReserved: "2021-03-05T00:00:00", dateUpdated: "2024-08-03T21:33:17.015Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-2933
Vulnerability from cvelistv5
Published
2009-08-21 20:21
Modified
2024-08-07 06:07
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/36333 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/505801/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T06:07:37.245Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "36333", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/36333", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", }, { name: "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/505801/100/0/threaded", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-08-17T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-10T18:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "36333", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/36333", }, { tags: [ "x_refsource_MISC", ], url: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", }, { name: "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/505801/100/0/threaded", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-2933", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "36333", refsource: "SECUNIA", url: "http://secunia.com/advisories/36333", }, { name: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", refsource: "MISC", url: "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf", }, { name: "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/505801/100/0/threaded", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-2933", datePublished: "2009-08-21T20:21:00", dateReserved: "2009-08-21T00:00:00", dateUpdated: "2024-08-07T06:07:37.245Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-9751
Vulnerability from cvelistv5
Published
2016-12-01 11:00
Modified
2024-08-06 02:59
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/94637 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/559 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T02:59:03.461Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "94637", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/94637", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/559", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-12-01T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-12-05T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "94637", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/94637", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/559", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-9751", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "94637", refsource: "BID", url: "http://www.securityfocus.com/bid/94637", }, { name: "https://github.com/Piwigo/Piwigo/issues/559", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/559", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-9751", datePublished: "2016-12-01T11:00:00", dateReserved: "2016-12-01T00:00:00", dateUpdated: "2024-08-06T02:59:03.461Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-13364
Vulnerability from cvelistv5
Published
2019-09-13 12:24
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.com | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2019/Sep/25 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jun/29 | mailing-list, x_refsource_FULLDISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T23:49:24.765Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://piwigo.com", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-06-23T20:06:08", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://piwigo.com", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { tags: [ "x_refsource_MISC", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-13364", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://piwigo.com", refsource: "MISC", url: "https://piwigo.com", }, { name: "https://github.com/Piwigo/Piwigo/issues", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues", }, { name: "http://seclists.org/fulldisclosure/2019/Sep/25", refsource: "MISC", url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { name: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-13364", datePublished: "2019-09-13T12:24:45", dateReserved: "2019-07-06T00:00:00", dateUpdated: "2024-08-04T23:49:24.765Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-33361
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 15:34
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T15:47:05.042Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1910", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-33361", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-31T15:34:30.264938Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-31T15:34:35.058Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-23T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/1910", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-33361", datePublished: "2023-05-23T00:00:00.000Z", dateReserved: "2023-05-22T00:00:00.000Z", dateUpdated: "2025-01-31T15:34:35.058Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2011-3790
Vulnerability from cvelistv5
Published
2011-09-24 00:00
Modified
2024-09-16 21:57
Severity ?
EPSS score ?
Summary
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2011/06/27/6 | mailing-list, x_refsource_MLIST | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README | x_refsource_MISC | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T23:46:03.025Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2011/06/27/6", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-09-24T00:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2011/06/27/6", }, { tags: [ "x_refsource_MISC", ], url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", }, { tags: [ "x_refsource_MISC", ], url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2011-3790", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2011/06/27/6", }, { name: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", refsource: "MISC", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README", }, { name: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", refsource: "MISC", url: "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2011-3790", datePublished: "2011-09-24T00:00:00Z", dateReserved: "2011-09-23T00:00:00Z", dateUpdated: "2024-09-16T21:57:19.991Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-40678
Vulnerability from cvelistv5
Published
2022-06-14 12:16
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1476 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:51:06.615Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1476", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-14T12:16:48", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1476", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40678", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1476", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1476", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40678", datePublished: "2022-06-14T12:16:48", dateReserved: "2021-09-07T00:00:00", dateUpdated: "2024-08-04T02:51:06.615Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-7722
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:31:05.212Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-03-06T00:00:00", descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-06T16:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-7722", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", refsource: "MISC", url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-7722", datePublished: "2018-03-06T17:00:00", dateReserved: "2018-03-06T00:00:00", dateUpdated: "2024-08-05T06:31:05.212Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-2209
Vulnerability from cvelistv5
Published
2012-08-14 22:00
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/18782 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/forum/viewtopic.php?id=19173 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23085 | x_refsource_MISC | |
| http://piwigo.org/releases/2.3.4 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/53245 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75186 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/48903 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/bugs/view.php?id=2607 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html | mailing-list, x_refsource_BUGTRAQ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T19:26:09.016Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "18782", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/18782", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.htbridge.com/advisory/HTB23085", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.3.4", }, { name: "53245", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/53245", }, { name: "piwigo-multiple-xss(75186)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186", }, { name: "48903", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/48903", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2012-04-08T00:00:00", descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-08-28T12:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "18782", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/18782", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { tags: [ "x_refsource_MISC", ], url: "https://www.htbridge.com/advisory/HTB23085", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.3.4", }, { name: "53245", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/53245", }, { name: "piwigo-multiple-xss(75186)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186", }, { name: "48903", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/48903", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2012-2209", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "18782", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/18782", }, { name: "http://piwigo.org/forum/viewtopic.php?id=19173", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=19173", }, { name: "https://www.htbridge.com/advisory/HTB23085", refsource: "MISC", url: "https://www.htbridge.com/advisory/HTB23085", }, { name: "http://piwigo.org/releases/2.3.4", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.3.4", }, { name: "53245", refsource: "BID", url: "http://www.securityfocus.com/bid/53245", }, { name: "piwigo-multiple-xss(75186)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186", }, { name: "48903", refsource: "SECUNIA", url: "http://secunia.com/advisories/48903", }, { name: "http://piwigo.org/bugs/view.php?id=2607", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=2607", }, { name: "20120425 Multiple vulnerabilities in Piwigo", refsource: "BUGTRAQ", url: "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2012-2209", datePublished: "2012-08-14T22:00:00", dateReserved: "2012-04-04T00:00:00", dateUpdated: "2024-08-06T19:26:09.016Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-32297
Vulnerability from cvelistv5
Published
2022-07-14 19:04
Modified
2024-08-03 07:39
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:39:50.600Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-14T19:04:39", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-32297", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", refsource: "MISC", url: "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-32297", datePublished: "2022-07-14T19:04:39", dateReserved: "2022-06-05T00:00:00", dateUpdated: "2024-08-03T07:39:50.600Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-26267
Vulnerability from cvelistv5
Published
2022-03-18 22:57
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:56:37.932Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-03-18T22:57:03", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-26267", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", refsource: "MISC", url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-26267", datePublished: "2022-03-18T22:57:03", dateReserved: "2022-02-28T00:00:00", dateUpdated: "2024-08-03T04:56:37.932Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10084
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95164 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:07:32.137Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", }, { name: "95164", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/95164", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-12-30T00:00:00", descriptions: [ { lang: "en", value: "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-01-02T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", }, { name: "95164", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/95164", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10084", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202", }, { name: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f", }, { name: "95164", refsource: "BID", url: "http://www.securityfocus.com/bid/95164", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10084", datePublished: "2016-12-30T07:08:00", dateReserved: "2016-12-30T00:00:00", dateUpdated: "2024-08-06T03:07:32.137Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-32615
Vulnerability from cvelistv5
Published
2021-05-13 22:07
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/1410 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T23:25:30.910Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1410", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-13T22:07:29", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/1410", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-32615", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52", }, { name: "https://github.com/Piwigo/Piwigo/issues/1410", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/1410", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-32615", datePublished: "2021-05-13T22:07:29", dateReserved: "2021-05-12T00:00:00", dateUpdated: "2024-08-03T23:25:30.910Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-33359
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 17:29
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T15:47:05.058Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1908", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-33359", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-16T18:47:29.908823Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-352", description: "CWE-352 Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-31T17:29:19.260Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the \"add tags\" function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-23T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/1908", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-33359", datePublished: "2023-05-23T00:00:00.000Z", dateReserved: "2023-05-22T00:00:00.000Z", dateUpdated: "2025-01-31T17:29:19.260Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-22150
Vulnerability from cvelistv5
Published
2021-07-21 16:07
Modified
2024-08-04 14:51
Severity ?
EPSS score ?
Summary
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1158 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:51:10.386Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1158", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-21T16:07:38", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1158", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-22150", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1158", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1158", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-22150", datePublished: "2021-07-21T16:07:38", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:51:10.386Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-4648
Vulnerability from cvelistv5
Published
2014-06-28 15:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/releases/2.6.3 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=24009 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T11:20:26.675Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.6.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=24009", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-06-11T00:00:00", descriptions: [ { lang: "en", value: "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\"", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-06-28T15:57:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.6.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=24009", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-4648", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/releases/2.6.3", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.6.3", }, { name: "http://piwigo.org/forum/viewtopic.php?id=24009", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=24009", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-4648", datePublished: "2014-06-28T15:00:00", dateReserved: "2014-06-25T00:00:00", dateUpdated: "2024-08-06T11:20:26.675Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-19216
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1011 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:08:30.726Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-06T13:55:51", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-19216", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1011", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-19216", datePublished: "2022-05-06T13:55:51", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:08:30.726Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-33362
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 15:35
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T15:47:05.057Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1911", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-33362", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-16T18:15:28.499547Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-31T15:35:39.447Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 13.6.0 is vulnerable to SQL Injection via in the \"profile\" function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-23T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/1911", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-33362", datePublished: "2023-05-23T00:00:00.000Z", dateReserved: "2023-05-22T00:00:00.000Z", dateUpdated: "2025-01-31T15:35:39.447Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-4649
Vulnerability from cvelistv5
Published
2014-06-28 15:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/bugs/view.php?id=3089 | x_refsource_CONFIRM | |
| http://piwigo.org/bugs/changelog_page.php | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T11:20:26.648Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/changelog_page.php", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-06-12T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-06-28T15:57:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/changelog_page.php", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-4649", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/bugs/view.php?id=3089", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=3089", }, { name: "http://piwigo.org/bugs/changelog_page.php", refsource: "CONFIRM", url: "http://piwigo.org/bugs/changelog_page.php", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-4649", datePublished: "2014-06-28T15:00:00", dateReserved: "2014-06-25T00:00:00", dateUpdated: "2024-08-06T11:20:26.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-16893
Vulnerability from cvelistv5
Published
2017-12-01 17:00
Modified
2024-08-05 20:35
Severity ?
EPSS score ?
Summary
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/804 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:35:21.271Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/804", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-11-20T00:00:00", descriptions: [ { lang: "en", value: "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-01T16:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/804", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-16893", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/804", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/804", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-16893", datePublished: "2017-12-01T17:00:00", dateReserved: "2017-11-19T00:00:00", dateUpdated: "2024-08-05T20:35:21.271Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-3900
Vulnerability from cvelistv5
Published
2014-08-17 18:00
Modified
2024-08-06 10:57
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/bugs/view.php?id=3089 | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN09717399/index.html | third-party-advisory, x_refsource_JVN | |
| http://piwigo.org/dev/changeset/28678 | x_refsource_CONFIRM | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 | third-party-advisory, x_refsource_JVNDB |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T10:57:17.925Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { name: "JVN#09717399", tags: [ "third-party-advisory", "x_refsource_JVN", "x_transferred", ], url: "http://jvn.jp/en/jp/JVN09717399/index.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/dev/changeset/28678", }, { name: "JVNDB-2014-000093", tags: [ "third-party-advisory", "x_refsource_JVNDB", "x_transferred", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-06-12T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-08-17T17:57:00", orgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", shortName: "jpcert", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=3089", }, { name: "JVN#09717399", tags: [ "third-party-advisory", "x_refsource_JVN", ], url: "http://jvn.jp/en/jp/JVN09717399/index.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/dev/changeset/28678", }, { name: "JVNDB-2014-000093", tags: [ "third-party-advisory", "x_refsource_JVNDB", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "vultures@jpcert.or.jp", ID: "CVE-2014-3900", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/bugs/view.php?id=3089", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=3089", }, { name: "JVN#09717399", refsource: "JVN", url: "http://jvn.jp/en/jp/JVN09717399/index.html", }, { name: "http://piwigo.org/dev/changeset/28678", refsource: "CONFIRM", url: "http://piwigo.org/dev/changeset/28678", }, { name: "JVNDB-2014-000093", refsource: "JVNDB", url: "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "ede6fdc4-6654-4307-a26d-3331c018e2ce", assignerShortName: "jpcert", cveId: "CVE-2014-3900", datePublished: "2014-08-17T18:00:00", dateReserved: "2014-05-27T00:00:00", dateUpdated: "2024-08-06T10:57:17.925Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10513
Vulnerability from cvelistv5
Published
2017-10-10 20:00
Modified
2024-09-16 16:43
Severity ?
EPSS score ?
Summary
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/548 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.3 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:21:52.129Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/548", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.8.3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-10-10T20:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/548", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.8.3", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10513", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/548", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/548", }, { name: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05", }, { name: "http://piwigo.org/releases/2.8.3", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.8.3", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10513", datePublished: "2017-10-10T20:00:00Z", dateReserved: "2017-10-10T00:00:00Z", dateUpdated: "2024-09-16T16:43:51.030Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2012-4525
Vulnerability from cvelistv5
Published
2019-12-02 17:46
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
piwigo has XSS in password.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2012-4525 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-4525 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/02/11/1 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/55710 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2012/10/18/4 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T20:42:53.710Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4525", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://access.redhat.com/security/cve/cve-2012-4525", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.securityfocus.com/bid/55710", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "piwigo", vendor: "piwigo", versions: [ { status: "affected", version: "2.4.3 and earlier", }, ], }, ], descriptions: [ { lang: "en", value: "piwigo has XSS in password.php", }, ], problemTypes: [ { descriptions: [ { description: "in password.php", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-12-02T17:46:59", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://security-tracker.debian.org/tracker/CVE-2012-4525", }, { tags: [ "x_refsource_MISC", ], url: "https://access.redhat.com/security/cve/cve-2012-4525", }, { tags: [ "x_refsource_MISC", ], url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { tags: [ "x_refsource_MISC", ], url: "http://www.securityfocus.com/bid/55710", }, { tags: [ "x_refsource_MISC", ], url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2012-4525", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "piwigo", version: { version_data: [ { version_value: "2.4.3 and earlier", }, ], }, }, ], }, vendor_name: "piwigo", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "piwigo has XSS in password.php", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "in password.php", }, ], }, ], }, references: { reference_data: [ { name: "https://security-tracker.debian.org/tracker/CVE-2012-4525", refsource: "MISC", url: "https://security-tracker.debian.org/tracker/CVE-2012-4525", }, { name: "https://access.redhat.com/security/cve/cve-2012-4525", refsource: "MISC", url: "https://access.redhat.com/security/cve/cve-2012-4525", }, { name: "http://www.openwall.com/lists/oss-security/2013/02/11/1", refsource: "MISC", url: "http://www.openwall.com/lists/oss-security/2013/02/11/1", }, { name: "http://www.securityfocus.com/bid/55710", refsource: "MISC", url: "http://www.securityfocus.com/bid/55710", }, { name: "http://www.openwall.com/lists/oss-security/2012/10/18/4", refsource: "MISC", url: "http://www.openwall.com/lists/oss-security/2012/10/18/4", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2012-4525", datePublished: "2019-12-02T17:46:59", dateReserved: "2012-08-21T00:00:00", dateUpdated: "2024-08-06T20:42:53.710Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-2035
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 05:02
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Feb/73 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/72689 | vdb-entry, x_refsource_BID | |
| http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T05:02:43.270Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { name: "72689", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/72689", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-02-17T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2016-11-28T20:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.7.4", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { name: "72689", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/72689", }, { tags: [ "x_refsource_MISC", ], url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-2035", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", refsource: "MISC", url: "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html", }, { name: "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo <= v. 2.7.3", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2015/Feb/73", }, { name: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html", }, { name: "http://piwigo.org/releases/2.7.4", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.7.4", }, { name: "http://piwigo.org/forum/viewtopic.php?id=25179", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=25179", }, { name: "72689", refsource: "BID", url: "http://www.securityfocus.com/bid/72689", }, { name: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", refsource: "MISC", url: "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-2035", datePublished: "2015-02-20T16:00:00", dateReserved: "2015-02-19T00:00:00", dateUpdated: "2024-08-06T05:02:43.270Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-22148
Vulnerability from cvelistv5
Published
2021-07-21 16:07
Modified
2024-08-04 14:51
Severity ?
EPSS score ?
Summary
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1157 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:51:10.571Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1157", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-21T16:07:36", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1157", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-22148", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1157", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1157", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-22148", datePublished: "2021-07-21T16:07:36", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:51:10.571Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-27233
Vulnerability from cvelistv5
Published
2023-05-17 00:00
Modified
2025-01-22 19:44
Severity ?
EPSS score ?
Summary
Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:01:32.368Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245", }, { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1872", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-27233", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-22T19:44:13.187387Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-22T19:44:16.113Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-18T00:00:00.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245", }, { url: "https://github.com/Piwigo/Piwigo/issues/1872", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-27233", datePublished: "2023-05-17T00:00:00.000Z", dateReserved: "2023-02-27T00:00:00.000Z", dateUpdated: "2025-01-22T19:44:16.113Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-9464
Vulnerability from cvelistv5
Published
2017-06-14 19:00
Modified
2024-08-05 17:11
Severity ?
EPSS score ?
Summary
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/706 | x_refsource_MISC | |
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:11:01.771Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/706", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-14T00:00:00", descriptions: [ { lang: "en", value: "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-06-14T19:57:02", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/706", }, { tags: [ "x_refsource_MISC", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-9464", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/706", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/706", }, { name: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", refsource: "MISC", url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-9464", datePublished: "2017-06-14T19:00:00", dateReserved: "2017-06-06T00:00:00", dateUpdated: "2024-08-05T17:11:01.771Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17825
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.956Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17825", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17825", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:17.956Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-13363
Vulnerability from cvelistv5
Published
2019-09-13 12:22
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.com | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2019/Sep/25 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jun/29 | mailing-list, x_refsource_FULLDISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T23:49:24.971Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://piwigo.com", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-06-23T20:06:09", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://piwigo.com", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues", }, { tags: [ "x_refsource_MISC", ], url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-13363", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://piwigo.com", refsource: "MISC", url: "https://piwigo.com", }, { name: "https://github.com/Piwigo/Piwigo/issues", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues", }, { name: "http://seclists.org/fulldisclosure/2019/Sep/25", refsource: "MISC", url: "http://seclists.org/fulldisclosure/2019/Sep/25", }, { name: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html", }, { name: "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2020/Jun/29", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-13363", datePublished: "2019-09-13T12:22:58", dateReserved: "2019-07-06T00:00:00", dateUpdated: "2024-08-04T23:49:24.971Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2010-1707
Vulnerability from cvelistv5
Published
2010-05-04 15:00
Modified
2024-09-16 23:30
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/1034 | vdb-entry, x_refsource_VUPEN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T01:35:52.849Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", }, { name: "ADV-2010-1034", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2010/1034", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2010-05-04T15:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", }, { name: "ADV-2010-1034", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2010/1034", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2010-1707", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", refsource: "CONFIRM", url: "http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936", }, { name: "ADV-2010-1034", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2010/1034", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2010-1707", datePublished: "2010-05-04T15:00:00Z", dateReserved: "2010-05-04T00:00:00Z", dateUpdated: "2024-09-16T23:30:59.687Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-10678
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99383 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:41:55.505Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "99383", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/99383", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-29T00:00:00", descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-07-05T09:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "99383", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/99383", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/721", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-10678", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "99383", refsource: "BID", url: "http://www.securityfocus.com/bid/99383", }, { name: "https://github.com/Piwigo/Piwigo/issues/721", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/721", }, { name: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-10678", datePublished: "2017-06-29T21:00:00", dateReserved: "2017-06-29T00:00:00", dateUpdated: "2024-08-05T17:41:55.505Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-19215
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1011 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:08:30.664Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-06T13:55:41", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-19215", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1011", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1011", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-19215", datePublished: "2022-05-06T13:55:41", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:08:30.664Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-19217
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1012 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:08:30.637Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1012", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-06T13:55:59", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1012", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-19217", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1012", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1012", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-19217", datePublished: "2022-05-06T13:55:59", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:08:30.637Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-45357
Vulnerability from cvelistv5
Published
2022-02-10 17:38
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1582 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:39:20.690Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1582", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T17:38:27", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1582", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-45357", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1582", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1582", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-45357", datePublished: "2022-02-10T17:38:27", dateReserved: "2021-12-20T00:00:00", dateUpdated: "2024-08-04T04:39:20.690Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-9452
Vulnerability from cvelistv5
Published
2017-06-06 16:00
Modified
2024-09-17 00:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/667 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:11:01.275Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/667", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-06-06T16:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/667", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-9452", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/667", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/667", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-9452", datePublished: "2017-06-06T16:00:00Z", dateReserved: "2017-06-06T00:00:00Z", dateUpdated: "2024-09-17T00:01:09.818Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-7724
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:31:05.191Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-03-06T00:00:00", descriptions: [ { lang: "en", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-06T16:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-7724", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", refsource: "MISC", url: "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-7724", datePublished: "2018-03-06T17:00:00", dateReserved: "2018-03-06T00:00:00", dateUpdated: "2024-08-05T06:31:05.191Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17823
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.921Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/826", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/826", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17823", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/826", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/826", }, { name: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983", }, { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17823", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:17.921Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-37183
Vulnerability from cvelistv5
Published
2022-08-31 17:09
Modified
2024-08-03 10:21
Severity ?
EPSS score ?
Summary
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T10:21:33.239Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-31T17:09:50", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-37183", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", refsource: "MISC", url: "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-37183", datePublished: "2022-08-31T17:09:50", dateReserved: "2022-08-01T00:00:00", dateUpdated: "2024-08-03T10:21:33.239Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-51790
Vulnerability from cvelistv5
Published
2024-01-12 00:00
Modified
2024-08-02 22:48
Severity ?
EPSS score ?
Summary
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:48:11.664Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/2069", }, { tags: [ "x_transferred", ], url: "https://github.com/Piwigo/AdminTools/issues/21", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-12T12:29:09.776692", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/Piwigo/Piwigo/issues/2069", }, { url: "https://github.com/Piwigo/AdminTools/issues/21", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-51790", datePublished: "2024-01-12T00:00:00", dateReserved: "2023-12-26T00:00:00", dateUpdated: "2024-08-02T22:48:11.664Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-9115
Vulnerability from cvelistv5
Published
2014-12-23 11:00
Modified
2024-08-06 13:33
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=24850 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.7.2 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2014/Nov/23 | mailing-list, x_refsource_FULLDISC | |
| http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T13:33:13.578Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/forum/viewtopic.php?id=24850", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.7.2", }, { name: "20141112 Piwigo <= v2.6.0 - Blind SQL Injection", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2014/Nov/23", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-11-12T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-12-23T05:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/forum/viewtopic.php?id=24850", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.7.2", }, { name: "20141112 Piwigo <= v2.6.0 - Blind SQL Injection", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2014/Nov/23", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-9115", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://piwigo.org/forum/viewtopic.php?id=24850", refsource: "CONFIRM", url: "http://piwigo.org/forum/viewtopic.php?id=24850", }, { name: "http://piwigo.org/releases/2.7.2", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.7.2", }, { name: "20141112 Piwigo <= v2.6.0 - Blind SQL Injection", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2014/Nov/23", }, { name: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", refsource: "CONFIRM", url: "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-9115", datePublished: "2014-12-23T11:00:00", dateReserved: "2014-11-26T00:00:00", dateUpdated: "2024-08-06T13:33:13.578Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-10514
Vulnerability from cvelistv5
Published
2017-10-10 20:00
Modified
2024-09-17 02:15
Severity ?
EPSS score ?
Summary
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/547 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.3 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T03:21:52.160Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/547", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.8.3", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-10-10T20:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/547", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.8.3", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2016-10514", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/547", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/547", }, { name: "http://piwigo.org/releases/2.8.3", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.8.3", }, { name: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2016-10514", datePublished: "2017-10-10T20:00:00Z", dateReserved: "2017-10-10T00:00:00Z", dateUpdated: "2024-09-17T02:15:43.456Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-4614
Vulnerability from cvelistv5
Published
2014-07-02 20:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2014/q2/623 | mailing-list, x_refsource_MLIST | |
| http://piwigo.org/bugs/view.php?id=0003055 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.6.2 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T11:20:26.672Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.6.2", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-03-17T00:00:00", descriptions: [ { lang: "en", value: "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2014-07-02T19:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.6.2", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-4614", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", refsource: "MLIST", url: "http://seclists.org/oss-sec/2014/q2/623", }, { name: "http://piwigo.org/bugs/view.php?id=0003055", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=0003055", }, { name: "http://piwigo.org/releases/2.6.2", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.6.2", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-4614", datePublished: "2014-07-02T20:00:00", dateReserved: "2014-06-24T00:00:00", dateUpdated: "2024-08-06T11:20:26.672Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-19212
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1009 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:08:30.658Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1009", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-06T13:55:25", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1009", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-19212", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1009", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1009", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-19212", datePublished: "2022-05-06T13:55:25", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:08:30.658Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-4613
Vulnerability from cvelistv5
Published
2018-03-16 17:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2014/q2/623 | mailing-list, x_refsource_MLIST | |
| http://www.exploit-db.com/exploits/31916 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/65811 | vdb-entry, x_refsource_BID | |
| http://seclists.org/oss-sec/2014/q2/610 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/show/osvdb/103774 | vdb-entry, x_refsource_OSVDB | |
| http://piwigo.org/bugs/view.php?id=0003055 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.6.2 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T11:20:26.804Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { name: "31916", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/31916", }, { name: "65811", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/65811", }, { name: "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://seclists.org/oss-sec/2014/q2/610", }, { name: "103774", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/show/osvdb/103774", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.6.2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-02-26T00:00:00", descriptions: [ { lang: "en", value: "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-16T16:57:02", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://seclists.org/oss-sec/2014/q2/623", }, { name: "31916", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/31916", }, { name: "65811", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/65811", }, { name: "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://seclists.org/oss-sec/2014/q2/610", }, { name: "103774", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/show/osvdb/103774", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/bugs/view.php?id=0003055", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.6.2", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-4613", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", refsource: "MLIST", url: "http://seclists.org/oss-sec/2014/q2/623", }, { name: "31916", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/31916", }, { name: "65811", refsource: "BID", url: "http://www.securityfocus.com/bid/65811", }, { name: "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF", refsource: "MLIST", url: "http://seclists.org/oss-sec/2014/q2/610", }, { name: "103774", refsource: "OSVDB", url: "http://osvdb.org/show/osvdb/103774", }, { name: "http://piwigo.org/bugs/view.php?id=0003055", refsource: "CONFIRM", url: "http://piwigo.org/bugs/view.php?id=0003055", }, { name: "http://piwigo.org/releases/2.6.2", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.6.2", }, { name: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-4613", datePublished: "2018-03-16T17:00:00", dateReserved: "2014-06-24T00:00:00", dateUpdated: "2024-08-06T11:20:26.804Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-4039
Vulnerability from cvelistv5
Published
2009-11-20 19:00
Modified
2024-09-16 17:38
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/37336 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/releases/2.0.6 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2009/3221 | vdb-entry, x_refsource_VUPEN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T06:45:51.034Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "37336", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/37336", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://piwigo.org/releases/2.0.6", }, { name: "ADV-2009-3221", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2009/3221", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2009-11-20T19:00:00Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "37336", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/37336", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://piwigo.org/releases/2.0.6", }, { name: "ADV-2009-3221", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2009/3221", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-4039", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "37336", refsource: "SECUNIA", url: "http://secunia.com/advisories/37336", }, { name: "http://piwigo.org/releases/2.0.6", refsource: "CONFIRM", url: "http://piwigo.org/releases/2.0.6", }, { name: "ADV-2009-3221", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2009/3221", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-4039", datePublished: "2009-11-20T19:00:00Z", dateReserved: "2009-11-20T00:00:00Z", dateUpdated: "2024-09-16T17:38:37.631Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-40553
Vulnerability from cvelistv5
Published
2022-06-28 16:22
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Yang9999999/vuln/blob/main/README.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T02:44:10.866Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Yang9999999/vuln/blob/main/README.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-06-28T16:22:23", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Yang9999999/vuln/blob/main/README.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2021-40553", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Yang9999999/vuln/blob/main/README.md", refsource: "MISC", url: "https://github.com/Yang9999999/vuln/blob/main/README.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2021-40553", datePublished: "2022-06-28T16:22:23", dateReserved: "2021-09-07T00:00:00", dateUpdated: "2024-08-04T02:44:10.866Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-19213
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1010 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:08:30.632Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1010", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-05-06T13:55:31", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/1010", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-19213", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1010", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/1010", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-19213", datePublished: "2022-05-06T13:55:31", dateReserved: "2020-08-13T00:00:00", dateUpdated: "2024-08-04T14:08:30.632Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17822
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.958Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/823", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-20T00:00:00", descriptions: [ { lang: "en", value: "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-21T04:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/823", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17822", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", refsource: "MISC", url: "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md", }, { name: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40", }, { name: "https://github.com/Piwigo/Piwigo/issues/823", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/823", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17822", datePublished: "2017-12-21T04:00:00", dateReserved: "2017-12-20T00:00:00", dateUpdated: "2024-08-05T20:59:17.958Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-26266
Vulnerability from cvelistv5
Published
2022-03-18 22:57
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:56:37.953Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-03-18T22:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2022-26266", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", refsource: "MISC", url: "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-26266", datePublished: "2022-03-18T22:57:01", dateReserved: "2022-02-28T00:00:00", dateUpdated: "2024-08-03T04:56:37.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-9463
Vulnerability from cvelistv5
Published
2017-06-14 19:00
Modified
2024-08-05 17:11
Severity ?
EPSS score ?
Summary
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/705 | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | x_refsource_MISC | |
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T17:11:01.843Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/705", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-06-14T00:00:00", descriptions: [ { lang: "en", value: "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-06-14T19:57:02", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/705", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", }, { tags: [ "x_refsource_MISC", ], url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-9463", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/705", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/705", }, { name: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2", }, { name: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", refsource: "MISC", url: "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-9463", datePublished: "2017-06-14T19:00:00", dateReserved: "2017-06-06T00:00:00", dateUpdated: "2024-08-05T17:11:01.843Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-17775
Vulnerability from cvelistv5
Published
2017-12-20 03:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T20:59:17.890Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-12-19T00:00:00", descriptions: [ { lang: "en", value: "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-12-20T03:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-17775", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", refsource: "MISC", url: "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-17775", datePublished: "2017-12-20T03:00:00", dateReserved: "2017-12-19T00:00:00", dateUpdated: "2024-08-05T20:59:17.890Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-26876
Vulnerability from cvelistv5
Published
2023-04-21 00:00
Modified
2025-02-13 16:44
Severity ?
EPSS score ?
Summary
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:01:30.952Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.tempest.com.br", }, { tags: [ "x_transferred", ], url: "https://piwigo.com", }, { tags: [ "x_transferred", ], url: "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693", }, { name: "20230428 Piwigo - CVE-2023-26876", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2023/Apr/13", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-26876", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-04T21:23:38.126996Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-04T21:24:33.016Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-28T10:06:08.259Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://www.tempest.com.br", }, { url: "https://piwigo.com", }, { url: "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693", }, { name: "20230428 Piwigo - CVE-2023-26876", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2023/Apr/13", }, { url: "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-26876", datePublished: "2023-04-21T00:00:00.000Z", dateReserved: "2023-02-27T00:00:00.000Z", dateUpdated: "2025-02-13T16:44:58.074Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-6883
Vulnerability from cvelistv5
Published
2018-02-24 16:00
Modified
2024-08-05 06:17
Severity ?
EPSS score ?
Summary
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/839 | x_refsource_MISC | |
| https://pastebin.com/tPebQFy4 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T06:17:16.586Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/839", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://pastebin.com/tPebQFy4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-02-24T00:00:00", descriptions: [ { lang: "en", value: "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-24T15:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/Piwigo/Piwigo/issues/839", }, { tags: [ "x_refsource_MISC", ], url: "https://pastebin.com/tPebQFy4", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2018-6883", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/839", refsource: "MISC", url: "https://github.com/Piwigo/Piwigo/issues/839", }, { name: "https://pastebin.com/tPebQFy4", refsource: "MISC", url: "https://pastebin.com/tPebQFy4", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2018-6883", datePublished: "2018-02-24T16:00:00", dateReserved: "2018-02-10T00:00:00", dateUpdated: "2024-08-05T06:17:16.586Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-9467
Vulnerability from cvelistv5
Published
2020-03-26 19:09
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1168 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T10:26:16.384Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/Piwigo/Piwigo/issues/1168", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-09-16T16:06:12", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/Piwigo/Piwigo/issues/1168", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-9467", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/Piwigo/Piwigo/issues/1168", refsource: "CONFIRM", url: "https://github.com/Piwigo/Piwigo/issues/1168", }, { name: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-9467", datePublished: "2020-03-26T19:09:27", dateReserved: "2020-02-28T00:00:00", dateUpdated: "2024-08-04T10:26:16.384Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
jvndb-2014-000092
Vulnerability from jvndb
Published
2014-08-08 13:49
Modified
2014-08-15 13:35
Summary
Piwigo vulnerable to cross-site scripting
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability when the "Community" plugin is activated and validation on user uploaded photos is disabled.
Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN80310172/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1980 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1980 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000092.html", "dc:date": "2014-08-15T13:35+09:00", "dcterms:issued": "2014-08-08T13:49+09:00", "dcterms:modified": "2014-08-15T13:35+09:00", description: "Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability when the \"Community\" plugin is activated and validation on user uploaded photos is disabled.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000092.html", "sec:cpe": { "#text": "cpe:/a:piwigo:piwigo", "@product": "Piwigo", "@vendor": "Piwigo", "@version": "2.2", }, "sec:cvss": { "@score": "4.3", "@severity": "Medium", "@type": "Base", "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "@version": "2.0", }, "sec:identifier": "JVNDB-2014-000092", "sec:references": [ { "#text": "http://jvn.jp/en/jp/JVN80310172/", "@id": "JVN#80310172", "@source": "JVN", }, { "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1980", "@id": "CVE-2014-1980", "@source": "CVE", }, { "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1980", "@id": "CVE-2014-1980", "@source": "NVD", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-79", "@title": "Cross-site Scripting(CWE-79)", }, ], title: "Piwigo vulnerable to cross-site scripting", }
jvndb-2014-000094
Vulnerability from jvndb
Published
2014-08-08 13:57
Modified
2014-08-08 13:57
Summary
Piwigo vulnerable to SQL injection
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability.
Yuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000094.html", "dc:date": "2014-08-08T13:57+09:00", "dcterms:issued": "2014-08-08T13:57+09:00", "dcterms:modified": "2014-08-08T13:57+09:00", description: "Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000094.html", "sec:cpe": { "#text": "cpe:/a:piwigo:piwigo", "@product": "Piwigo", "@vendor": "Piwigo", "@version": "2.2", }, "sec:cvss": { "@score": "6.0", "@severity": "Medium", "@type": "Base", "@vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "@version": "2.0", }, "sec:identifier": "JVNDB-2014-000094", "sec:references": [ { "#text": "http://jvn.jp/en/jp/JVN87962145/index.html", "@id": "JVN#87962145", "@source": "JVN", }, { "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4649", "@id": "CVE-2014-4649", "@source": "CVE", }, { "#text": "https://nvd.nist.gov/vuln/detail/CVE-2014-4649", "@id": "CVE-2014-4649", "@source": "NVD", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-89", "@title": "SQL Injection(CWE-89)", }, ], title: "Piwigo vulnerable to SQL injection", }
jvndb-2014-000093
Vulnerability from jvndb
Published
2014-08-08 13:52
Modified
2014-08-19 16:48
Summary
Piwigo vulnerable to cross-site scripting
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability.
Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN09717399/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3900 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3900 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000093.html", "dc:date": "2014-08-19T16:48+09:00", "dcterms:issued": "2014-08-08T13:52+09:00", "dcterms:modified": "2014-08-19T16:48+09:00", description: "Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000093.html", "sec:cpe": { "#text": "cpe:/a:piwigo:piwigo", "@product": "Piwigo", "@vendor": "Piwigo", "@version": "2.2", }, "sec:cvss": { "@score": "2.6", "@severity": "Low", "@type": "Base", "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "@version": "2.0", }, "sec:identifier": "JVNDB-2014-000093", "sec:references": [ { "#text": "http://jvn.jp/en/jp/JVN09717399/", "@id": "JVN#09717399", "@source": "JVN", }, { "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3900", "@id": "CVE-2014-3900", "@source": "CVE", }, { "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3900", "@id": "CVE-2014-3900", "@source": "NVD", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-79", "@title": "Cross-site Scripting(CWE-79)", }, ], title: "Piwigo vulnerable to cross-site scripting", }