Vulnerabilites related to Piwigo - Piwigo
cve-2017-17825
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager\u0026mode=unit request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17825",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager\u0026mode=unit request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17825",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7724
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:05.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-06T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7724",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md",
"refsource": "MISC",
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7724",
"datePublished": "2018-03-06T17:00:00",
"dateReserved": "2018-03-06T00:00:00",
"dateUpdated": "2024-08-05T06:31:05.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17824
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/825"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/825"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17824",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/825",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/825"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17824",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51790
Vulnerability from cvelistv5
Published
2024-01-12 00:00
Modified
2024-08-02 22:48
Severity ?
EPSS score ?
Summary
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:11.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/2069"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/AdminTools/issues/21"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T12:29:09.776692",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/2069"
},
{
"url": "https://github.com/Piwigo/AdminTools/issues/21"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-51790",
"datePublished": "2024-01-12T00:00:00",
"dateReserved": "2023-12-26T00:00:00",
"dateUpdated": "2024-08-02T22:48:11.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2034
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 05:02
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/72690 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2015/Feb/73 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM | |
| http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:02:43.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "72690",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72690"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-28T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "72690",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72690"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html",
"refsource": "MISC",
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "72690",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72690"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"name": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"name": "http://piwigo.org/releases/2.7.4",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.7.4"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=25179",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"name": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html",
"refsource": "MISC",
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2034",
"datePublished": "2015-02-20T16:00:00",
"dateReserved": "2015-02-19T00:00:00",
"dateUpdated": "2024-08-06T05:02:43.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-9467
Vulnerability from cvelistv5
Published
2020-03-26 19:09
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1168 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1168"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-16T16:06:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1168"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-9467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1168",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/1168"
},
{
"name": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-9467",
"datePublished": "2020-03-26T19:09:27",
"dateReserved": "2020-02-28T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17826
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:18.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration\u0026section=main request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration\u0026section=main request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17826",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:18.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10084
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95164 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:32.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f"
},
{
"name": "95164",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page[\u0027tab\u0027] variable (aka the mode parameter)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-02T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f"
},
{
"name": "95164",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10084",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page[\u0027tab\u0027] variable (aka the mode parameter)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f"
},
{
"name": "95164",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10084",
"datePublished": "2016-12-30T07:08:00",
"dateReserved": "2016-12-30T00:00:00",
"dateUpdated": "2024-08-06T03:07:32.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-19216
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1011 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.726Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T13:55:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19216",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1011",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19216",
"datePublished": "2022-05-06T13:55:51",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10681
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99362 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:41:55.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99362",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99362"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-04T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99362",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99362"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99362",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99362"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/721",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10681",
"datePublished": "2017-06-29T21:00:00",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-08-05T17:41:55.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10682
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/724 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/99357 | vdb-entry, x_refsource_BID | |
| https://www.exploit-db.com/exploits/43337/ | exploit, x_refsource_EXPLOIT-DB | |
| https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:41:55.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/724"
},
{
"name": "99357",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99357"
},
{
"name": "43337",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43337/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-19T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/724"
},
{
"name": "99357",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99357"
},
{
"name": "43337",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43337/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/724",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/724"
},
{
"name": "99357",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99357"
},
{
"name": "43337",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43337/"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10682",
"datePublished": "2017-06-29T21:00:00",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-08-05T17:41:55.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16893
Vulnerability from cvelistv5
Published
2017-12-01 17:00
Modified
2024-08-05 20:35
Severity ?
EPSS score ?
Summary
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/804 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/804"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-01T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/804"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16893",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/804",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/804"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16893",
"datePublished": "2017-12-01T17:00:00",
"dateReserved": "2017-11-19T00:00:00",
"dateUpdated": "2024-08-05T20:35:21.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7723
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:05.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-06T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md",
"refsource": "MISC",
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7723",
"datePublished": "2018-03-06T17:00:00",
"dateReserved": "2018-03-06T00:00:00",
"dateUpdated": "2024-08-05T06:31:05.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-2933
Vulnerability from cvelistv5
Published
2009-08-21 20:21
Modified
2024-08-07 06:07
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/36333 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/505801/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:07:37.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "36333",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36333"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf"
},
{
"name": "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/505801/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-08-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "36333",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36333"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf"
},
{
"name": "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/505801/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-2933",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "36333",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36333"
},
{
"name": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf",
"refsource": "MISC",
"url": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf"
},
{
"name": "20090817 Piwigo SQL Injection Vulnerability - Security Advisory - SOS-09-007",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/505801/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-2933",
"datePublished": "2009-08-21T20:21:00",
"dateReserved": "2009-08-21T00:00:00",
"dateUpdated": "2024-08-07T06:07:37.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9836
Vulnerability from cvelistv5
Published
2017-06-24 15:00
Modified
2024-09-16 17:09
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/716 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:18:02.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/716"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-24T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/716"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9836",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/716",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/716"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9836",
"datePublished": "2017-06-24T15:00:00Z",
"dateReserved": "2017-06-24T00:00:00Z",
"dateUpdated": "2024-09-16T17:09:04.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2209
Vulnerability from cvelistv5
Published
2012-08-14 22:00
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/18782 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/forum/viewtopic.php?id=19173 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23085 | x_refsource_MISC | |
| http://piwigo.org/releases/2.3.4 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/53245 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75186 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/48903 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/bugs/view.php?id=2607 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:09.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "18782",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "53245",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "piwigo-multiple-xss(75186)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186"
},
{
"name": "48903",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48903"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "18782",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "53245",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "piwigo-multiple-xss(75186)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186"
},
{
"name": "48903",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48903"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2209",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "18782",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=19173",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"name": "https://www.htbridge.com/advisory/HTB23085",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"name": "http://piwigo.org/releases/2.3.4",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "53245",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "piwigo-multiple-xss(75186)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186"
},
{
"name": "48903",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48903"
},
{
"name": "http://piwigo.org/bugs/view.php?id=2607",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2209",
"datePublished": "2012-08-14T22:00:00",
"dateReserved": "2012-04-04T00:00:00",
"dateUpdated": "2024-08-06T19:26:09.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40317
Vulnerability from cvelistv5
Published
2022-05-26 12:04
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1470 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1470"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-26T12:04:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1470"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40317",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1470",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1470"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40317",
"datePublished": "2022-05-26T12:04:52",
"dateReserved": "2021-08-30T00:00:00",
"dateUpdated": "2024-08-04T02:27:31.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26266
Vulnerability from cvelistv5
Published
2022-03-18 22:57
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-18T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26266",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md",
"refsource": "MISC",
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26266",
"datePublished": "2022-03-18T22:57:01",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-08-03T04:56:37.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-5608
Vulnerability from cvelistv5
Published
2017-01-28 18:00
Modified
2024-08-05 15:04
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/600 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95848 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.6 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:04:15.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/600"
},
{
"name": "95848",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95848"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.8.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-31T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/600"
},
{
"name": "95848",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95848"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.8.6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/600",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/600"
},
{
"name": "95848",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95848"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb"
},
{
"name": "http://piwigo.org/releases/2.8.6",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.8.6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5608",
"datePublished": "2017-01-28T18:00:00",
"dateReserved": "2017-01-28T00:00:00",
"dateUpdated": "2024-08-05T15:04:15.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-22148
Vulnerability from cvelistv5
Published
2021-07-21 16:07
Modified
2024-08-04 14:51
Severity ?
EPSS score ?
Summary
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1157 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1157"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T16:07:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1157"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22148",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1157",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1157"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22148",
"datePublished": "2021-07-21T16:07:36",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40313
Vulnerability from cvelistv5
Published
2021-12-06 20:22
Modified
2024-08-04 02:27
Severity ?
EPSS score ?
Summary
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1469 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1469"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-06T20:22:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1469"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1469",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1469"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40313",
"datePublished": "2021-12-06T20:22:58",
"dateReserved": "2021-08-30T00:00:00",
"dateUpdated": "2024-08-04T02:27:31.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10083
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/575 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95166 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:32.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/575"
},
{
"name": "95166",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95166"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-02T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/575"
},
{
"name": "95166",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95166"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/575",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/575"
},
{
"name": "95166",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95166"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10083",
"datePublished": "2016-12-30T07:08:00",
"dateReserved": "2016-12-30T00:00:00",
"dateUpdated": "2024-08-06T03:07:32.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-19212
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1009 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1009"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T13:55:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1009"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19212",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1009",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1009"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19212",
"datePublished": "2022-05-06T13:55:25",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17822
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/823"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/823"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17822",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/823",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/823"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17822",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-1517
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 04:47
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/72664 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/534723/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:16.749Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "72664",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72664"
},
{
"name": "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/534723/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "72664",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72664"
},
{
"name": "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/534723/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1517",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "72664",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72664"
},
{
"name": "20150218 [CVE-2015-1517] Piwigo - SQL Injection in Version 2.7.3",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/534723/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html"
},
{
"name": "http://piwigo.org/releases/2.7.4",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.7.4"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=25179",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1517",
"datePublished": "2015-02-20T16:00:00",
"dateReserved": "2015-02-06T00:00:00",
"dateUpdated": "2024-08-06T04:47:16.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9464
Vulnerability from cvelistv5
Published
2017-06-14 19:00
Modified
2024-08-05 17:11
Severity ?
EPSS score ?
Summary
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/706 | x_refsource_MISC | |
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:01.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/706"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-14T19:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/706"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9464",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/706",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/706"
},
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9464",
"datePublished": "2017-06-14T19:00:00",
"dateReserved": "2017-06-06T00:00:00",
"dateUpdated": "2024-08-05T17:11:01.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-6883
Vulnerability from cvelistv5
Published
2018-02-24 16:00
Modified
2024-08-05 06:17
Severity ?
EPSS score ?
Summary
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/839 | x_refsource_MISC | |
| https://pastebin.com/tPebQFy4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:16.586Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/839"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pastebin.com/tPebQFy4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-24T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/839"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pastebin.com/tPebQFy4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6883",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/839",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/839"
},
{
"name": "https://pastebin.com/tPebQFy4",
"refsource": "MISC",
"url": "https://pastebin.com/tPebQFy4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6883",
"datePublished": "2018-02-24T16:00:00",
"dateReserved": "2018-02-10T00:00:00",
"dateUpdated": "2024-08-05T06:17:16.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7722
Vulnerability from cvelistv5
Published
2018-03-06 17:00
Modified
2024-08-05 06:31
Severity ?
EPSS score ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:05.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-06T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7722",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md",
"refsource": "MISC",
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7722",
"datePublished": "2018-03-06T17:00:00",
"dateReserved": "2018-03-06T00:00:00",
"dateUpdated": "2024-08-05T06:31:05.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9115
Vulnerability from cvelistv5
Published
2014-12-23 11:00
Modified
2024-08-06 13:33
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=24850 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.7.2 | x_refsource_CONFIRM | |
| http://seclists.org/fulldisclosure/2014/Nov/23 | mailing-list, x_refsource_FULLDISC | |
| http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24850"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.7.2"
},
{
"name": "20141112 Piwigo \u003c= v2.6.0 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/23"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-23T05:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24850"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.7.2"
},
{
"name": "20141112 Piwigo \u003c= v2.6.0 - Blind SQL Injection",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/23"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/forum/viewtopic.php?id=24850",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=24850"
},
{
"name": "http://piwigo.org/releases/2.7.2",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.7.2"
},
{
"name": "20141112 Piwigo \u003c= v2.6.0 - Blind SQL Injection",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Nov/23"
},
{
"name": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php",
"refsource": "CONFIRM",
"url": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9115",
"datePublished": "2014-12-23T11:00:00",
"dateReserved": "2014-11-26T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-1441
Vulnerability from cvelistv5
Published
2015-02-03 16:00
Modified
2024-08-06 04:40
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/releases/2.6.5 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/62606 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/releases/2.7.3 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25016 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/72400 | vdb-entry, x_refsource_BID | |
| http://piwigo.org/releases/2.5.6 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:40:18.705Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.6.5"
},
{
"name": "62606",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/62606"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.7.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25016"
},
{
"name": "72400",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72400"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.5.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-03T15:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.6.5"
},
{
"name": "62606",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/62606"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.7.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25016"
},
{
"name": "72400",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72400"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.5.6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1441",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/releases/2.6.5",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.6.5"
},
{
"name": "62606",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/62606"
},
{
"name": "http://piwigo.org/releases/2.7.3",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.7.3"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=25016",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=25016"
},
{
"name": "72400",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72400"
},
{
"name": "http://piwigo.org/releases/2.5.6",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.5.6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1441",
"datePublished": "2015-02-03T16:00:00",
"dateReserved": "2015-01-31T00:00:00",
"dateUpdated": "2024-08-06T04:40:18.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1469
Vulnerability from cvelistv5
Published
2013-03-13 20:48
Modified
2024-09-17 02:42
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=21470 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.4.7 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23144 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/24561 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php | x_refsource_MISC | |
| http://piwigo.org/bugs/view.php?id=0002843 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:04:48.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.4.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=0002843"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-03-13T20:48:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.4.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=0002843"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1469",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/forum/viewtopic.php?id=21470",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"name": "http://piwigo.org/releases/2.4.7",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"name": "https://www.htbridge.com/advisory/HTB23144",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"name": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"name": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php",
"refsource": "MISC",
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php"
},
{
"name": "http://piwigo.org/bugs/view.php?id=0002843",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=0002843"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-1469",
"datePublished": "2013-03-13T20:48:00Z",
"dateReserved": "2013-01-29T00:00:00Z",
"dateUpdated": "2024-09-17T02:42:20.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-4648
Vulnerability from cvelistv5
Published
2014-06-28 15:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/releases/2.6.3 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=24009 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:20:26.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.6.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24009"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-28T15:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.6.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24009"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/releases/2.6.3",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.6.3"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=24009",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=24009"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4648",
"datePublished": "2014-06-28T15:00:00",
"dateReserved": "2014-06-25T00:00:00",
"dateUpdated": "2024-08-06T11:20:26.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-3735
Vulnerability from cvelistv5
Published
2022-01-28 00:00
Modified
2024-08-06 00:03
Severity ?
EPSS score ?
Summary
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:03:34.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://piwigo.org/release-2.8.1%2C"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/470%2C"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Piwigo",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "piwigo \u003c 2.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "http://piwigo.org/release-2.8.1%2C"
},
{
"url": "https://github.com/Piwigo/Piwigo/issues/470%2C"
},
{
"url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-3735",
"datePublished": "2022-01-28T00:00:00",
"dateReserved": "2016-03-30T00:00:00",
"dateUpdated": "2024-08-06T00:03:34.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10678
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99383 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:41:55.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99383",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99383"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-05T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99383",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99383"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99383",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99383"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/721",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10678",
"datePublished": "2017-06-29T21:00:00",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-08-05T17:41:55.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-4526
Vulnerability from cvelistv5
Published
2019-12-02 17:48
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2013/02/11/1 | x_refsource_MISC | |
| https://security-tracker.debian.org/tracker/CVE-2012-4526 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-4526 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/55710 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2012/10/18/4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:54.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4526"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4526"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "piwigo",
"vendor": "piwigo",
"versions": [
{
"status": "affected",
"version": "2.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "in password.php, incomplete fix for CVE-2012-4525",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-02T17:48:45",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4526"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4526"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "piwigo",
"version": {
"version_data": [
{
"version_value": "2.4.4"
}
]
}
}
]
},
"vendor_name": "piwigo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "in password.php, incomplete fix for CVE-2012-4525"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.openwall.com/lists/oss-security/2013/02/11/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-4526",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4526"
},
{
"name": "https://access.redhat.com/security/cve/cve-2012-4526",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2012-4526"
},
{
"name": "http://www.securityfocus.com/bid/55710",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55710"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/10/18/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4526",
"datePublished": "2019-12-02T17:48:45",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:42:54.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2009-4039
Vulnerability from cvelistv5
Published
2009-11-20 19:00
Modified
2024-09-16 17:38
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/37336 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/releases/2.0.6 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2009/3221 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:45:51.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "37336",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/37336"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.0.6"
},
{
"name": "ADV-2009-3221",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3221"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-11-20T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "37336",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/37336"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.0.6"
},
{
"name": "ADV-2009-3221",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3221"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-4039",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "37336",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/37336"
},
{
"name": "http://piwigo.org/releases/2.0.6",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.0.6"
},
{
"name": "ADV-2009-3221",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/3221"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-4039",
"datePublished": "2009-11-20T19:00:00Z",
"dateReserved": "2009-11-20T00:00:00Z",
"dateUpdated": "2024-09-16T17:38:37.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17823
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/826"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/826"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17823",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/826",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/826"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983"
},
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17823",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33362
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 15:35
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:47:05.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1911"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-33362",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:15:28.499547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:35:39.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to SQL Injection via in the \"profile\" function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-23T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/1911"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-33362",
"datePublished": "2023-05-23T00:00:00.000Z",
"dateReserved": "2023-05-22T00:00:00.000Z",
"dateUpdated": "2025-01-31T15:35:39.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40882
Vulnerability from cvelistv5
Published
2021-12-14 17:54
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1477 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:51:07.710Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1477"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-14T17:54:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1477"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40882",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1477",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1477"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40882",
"datePublished": "2021-12-14T17:54:56",
"dateReserved": "2021-09-13T00:00:00",
"dateUpdated": "2024-08-04T02:51:07.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-4525
Vulnerability from cvelistv5
Published
2019-12-02 17:46
Modified
2024-08-06 20:42
Severity ?
EPSS score ?
Summary
piwigo has XSS in password.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2012-4525 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/cve-2012-4525 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2013/02/11/1 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/55710 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2012/10/18/4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:53.710Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4525"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4525"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "piwigo",
"vendor": "piwigo",
"versions": [
{
"status": "affected",
"version": "2.4.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "piwigo has XSS in password.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "in password.php",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-02T17:46:59",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4525"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4525"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4525",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "piwigo",
"version": {
"version_data": [
{
"version_value": "2.4.3 and earlier"
}
]
}
}
]
},
"vendor_name": "piwigo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "piwigo has XSS in password.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "in password.php"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-4525",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4525"
},
{
"name": "https://access.redhat.com/security/cve/cve-2012-4525",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2012-4525"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/02/11/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"name": "http://www.securityfocus.com/bid/55710",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55710"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/10/18/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4525",
"datePublished": "2019-12-02T17:46:59",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:42:53.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27973
Vulnerability from cvelistv5
Published
2021-04-02 18:19
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1352 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1352"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-30T16:06:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1352"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27973",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1352",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1352"
},
{
"name": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27973",
"datePublished": "2021-04-02T18:19:28",
"dateReserved": "2021-03-05T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10514
Vulnerability from cvelistv5
Published
2017-10-10 20:00
Modified
2024-09-17 02:15
Severity ?
EPSS score ?
Summary
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/547 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.3 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/547"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/547"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10514",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/547",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/547"
},
{
"name": "http://piwigo.org/releases/2.8.3",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.8.3"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10514",
"datePublished": "2017-10-10T20:00:00Z",
"dateReserved": "2017-10-10T00:00:00Z",
"dateUpdated": "2024-09-17T02:15:43.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10105
Vulnerability from cvelistv5
Published
2017-01-03 06:34
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95202 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:32.182Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358"
},
{
"name": "95202",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95202"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-01-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "admin/plugin.php in Piwigo through 2.8.3 doesn\u0027t validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-04T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358"
},
{
"name": "95202",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95202"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10105",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/plugin.php in Piwigo through 2.8.3 doesn\u0027t validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358"
},
{
"name": "95202",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95202"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10105",
"datePublished": "2017-01-03T06:34:00",
"dateReserved": "2017-01-02T00:00:00",
"dateUpdated": "2024-08-06T03:07:32.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-22150
Vulnerability from cvelistv5
Published
2021-07-21 16:07
Modified
2024-08-04 14:51
Severity ?
EPSS score ?
Summary
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1158 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.386Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1158"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T16:07:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1158"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-22150",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1158",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1158"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22150",
"datePublished": "2021-07-21T16:07:38",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:51:10.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10513
Vulnerability from cvelistv5
Published
2017-10-10 20:00
Modified
2024-09-16 16:43
Severity ?
EPSS score ?
Summary
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/548 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.8.3 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:52.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/548"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.8.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/548"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.8.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10513",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/548",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/548"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05"
},
{
"name": "http://piwigo.org/releases/2.8.3",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.8.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10513",
"datePublished": "2017-10-10T20:00:00Z",
"dateReserved": "2017-10-10T00:00:00Z",
"dateUpdated": "2024-09-16T16:43:51.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9463
Vulnerability from cvelistv5
Published
2017-06-14 19:00
Modified
2024-08-05 17:11
Severity ?
EPSS score ?
Summary
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/705 | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | x_refsource_MISC | |
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:01.843Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/705"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart \u0026 iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-14T19:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/705"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9463",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart \u0026 iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/705",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/705"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2"
},
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003",
"refsource": "MISC",
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9463",
"datePublished": "2017-06-14T19:00:00",
"dateReserved": "2017-06-06T00:00:00",
"dateUpdated": "2024-08-05T17:11:01.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-3900
Vulnerability from cvelistv5
Published
2014-08-17 18:00
Modified
2024-08-06 10:57
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/bugs/view.php?id=3089 | x_refsource_CONFIRM | |
| http://jvn.jp/en/jp/JVN09717399/index.html | third-party-advisory, x_refsource_JVN | |
| http://piwigo.org/dev/changeset/28678 | x_refsource_CONFIRM | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 | third-party-advisory, x_refsource_JVNDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"name": "JVN#09717399",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN09717399/index.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/dev/changeset/28678"
},
{
"name": "JVNDB-2014-000093",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-08-17T17:57:00",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"name": "JVN#09717399",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN09717399/index.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/dev/changeset/28678"
},
{
"name": "JVNDB-2014-000093",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2014-3900",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/bugs/view.php?id=3089",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"name": "JVN#09717399",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN09717399/index.html"
},
{
"name": "http://piwigo.org/dev/changeset/28678",
"refsource": "CONFIRM",
"url": "http://piwigo.org/dev/changeset/28678"
},
{
"name": "JVNDB-2014-000093",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2014-3900",
"datePublished": "2014-08-17T18:00:00",
"dateReserved": "2014-05-27T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-9751
Vulnerability from cvelistv5
Published
2016-12-01 11:00
Modified
2024-08-06 02:59
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/94637 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/559 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:59:03.461Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94637",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94637"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/559"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-05T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94637",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94637"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/559"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9751",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94637",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94637"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/559",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/559"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9751",
"datePublished": "2016-12-01T11:00:00",
"dateReserved": "2016-12-01T00:00:00",
"dateUpdated": "2024-08-06T02:59:03.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-45357
Vulnerability from cvelistv5
Published
2022-02-10 17:38
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1582 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1582"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T17:38:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1582"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45357",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1582",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1582"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45357",
"datePublished": "2022-02-10T17:38:27",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-04T04:39:20.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-19213
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1010 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T13:55:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19213",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1010",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19213",
"datePublished": "2022-05-06T13:55:31",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-4614
Vulnerability from cvelistv5
Published
2014-07-02 20:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2014/q2/623 | mailing-list, x_refsource_MLIST | |
| http://piwigo.org/bugs/view.php?id=0003055 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.6.2 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:20:26.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.6.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-02T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.6.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4614",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"name": "http://piwigo.org/bugs/view.php?id=0003055",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"name": "http://piwigo.org/releases/2.6.2",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.6.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4614",
"datePublished": "2014-07-02T20:00:00",
"dateReserved": "2014-06-24T00:00:00",
"dateUpdated": "2024-08-06T11:20:26.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13364
Vulnerability from cvelistv5
Published
2019-09-13 12:24
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.com | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2019/Sep/25 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jun/29 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://piwigo.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat\u0026#95;number, billing\u0026#95;name, company, or billing\u0026#95;address parameter. This is exploitable via CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-23T20:06:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://piwigo.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat\u0026#95;number, billing\u0026#95;name, company, or billing\u0026#95;address parameter. This is exploitable via CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://piwigo.com",
"refsource": "MISC",
"url": "https://piwigo.com"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"name": "http://seclists.org/fulldisclosure/2019/Sep/25",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"name": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13364",
"datePublished": "2019-09-13T12:24:45",
"dateReserved": "2019-07-06T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-48007
Vulnerability from cvelistv5
Published
2023-01-27 00:00
Modified
2024-08-03 15:02
Severity ?
EPSS score ?
Summary
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:02:36.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1835"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/1835"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-48007",
"datePublished": "2023-01-27T00:00:00",
"dateReserved": "2022-12-29T00:00:00",
"dateUpdated": "2024-08-03T15:02:36.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-1707
Vulnerability from cvelistv5
Published
2010-05-04 15:00
Modified
2024-09-16 23:30
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/1034 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:35:52.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936"
},
{
"name": "ADV-2010-1034",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/1034"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-05-04T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936"
},
{
"name": "ADV-2010-1034",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/1034"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-1707",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936",
"refsource": "CONFIRM",
"url": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936"
},
{
"name": "ADV-2010-1034",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/1034"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-1707",
"datePublished": "2010-05-04T15:00:00Z",
"dateReserved": "2010-05-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:30:59.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10085
Vulnerability from cvelistv5
Published
2016-12-30 07:08
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/95167 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:32.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558"
},
{
"name": "95167",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95167"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-02T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558"
},
{
"name": "95167",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95167"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10085",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558"
},
{
"name": "95167",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95167"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10085",
"datePublished": "2016-12-30T07:08:00",
"dateReserved": "2016-12-30T00:00:00",
"dateUpdated": "2024-08-06T03:07:32.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-19215
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1011 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.664Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T13:55:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1011",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19215",
"datePublished": "2022-05-06T13:55:41",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-32297
Vulnerability from cvelistv5
Published
2022-07-14 19:04
Modified
2024-08-03 07:39
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.600Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T19:04:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-32297",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md",
"refsource": "MISC",
"url": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-32297",
"datePublished": "2022-07-14T19:04:39",
"dateReserved": "2022-06-05T00:00:00",
"dateUpdated": "2024-08-03T07:39:50.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10680
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99349 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:41:55.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99349",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99349"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-03T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99349",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99349"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10680",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99349",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99349"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/721",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10680",
"datePublished": "2017-06-29T21:00:00",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-08-05T17:41:55.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32615
Vulnerability from cvelistv5
Published
2021-05-13 22:07
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/1410 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:30.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1410"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-13T22:07:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1410"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32615",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/1410",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/1410"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32615",
"datePublished": "2021-05-13T22:07:29",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:30.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24620
Vulnerability from cvelistv5
Published
2022-02-23 14:26
Modified
2024-08-03 04:13
Severity ?
EPSS score ?
Summary
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1605 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:57.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1605"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster\u0027s cookies to get the webmaster\u0027s access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-23T14:26:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1605"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24620",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster\u0027s cookies to get the webmaster\u0027s access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1605",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1605"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24620",
"datePublished": "2022-02-23T14:26:24",
"dateReserved": "2022-02-07T00:00:00",
"dateUpdated": "2024-08-03T04:13:57.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-3790
Vulnerability from cvelistv5
Published
2011-09-24 00:00
Modified
2024-09-16 21:57
Severity ?
EPSS score ?
Summary
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2011/06/27/6 | mailing-list, x_refsource_MLIST | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README | x_refsource_MISC | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:46:03.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-24T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-3790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-3790",
"datePublished": "2011-09-24T00:00:00Z",
"dateReserved": "2011-09-23T00:00:00Z",
"dateUpdated": "2024-09-16T21:57:19.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-2035
Vulnerability from cvelistv5
Published
2015-02-20 16:00
Modified
2024-08-06 05:02
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Feb/73 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html | x_refsource_MISC | |
| http://piwigo.org/releases/2.7.4 | x_refsource_CONFIRM | |
| http://piwigo.org/forum/viewtopic.php?id=25179 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/72689 | vdb-entry, x_refsource_BID | |
| http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:02:43.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"name": "72689",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72689"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-28T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"name": "72689",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72689"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2035",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html",
"refsource": "MISC",
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"name": "20150218 Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo \u003c= v. 2.7.3",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"name": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"name": "http://piwigo.org/releases/2.7.4",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.7.4"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=25179",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"name": "72689",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72689"
},
{
"name": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html",
"refsource": "MISC",
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2035",
"datePublished": "2015-02-20T16:00:00",
"dateReserved": "2015-02-19T00:00:00",
"dateUpdated": "2024-08-06T05:02:43.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-2208
Vulnerability from cvelistv5
Published
2012-08-14 22:00
Modified
2024-08-06 19:26
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.exploit-db.com/exploits/18782 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/forum/viewtopic.php?id=19173 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23085 | x_refsource_MISC | |
| http://piwigo.org/releases/2.3.4 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/75185 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/53245 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/48903 | third-party-advisory, x_refsource_SECUNIA | |
| http://piwigo.org/bugs/view.php?id=2607 | x_refsource_CONFIRM | |
| http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "18782",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "piwigo-language-directory-traversal(75185)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185"
},
{
"name": "53245",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "48903",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48903"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "18782",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "piwigo-language-directory-traversal(75185)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185"
},
{
"name": "53245",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "48903",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48903"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2208",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "18782",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"name": "http://piwigo.org/forum/viewtopic.php?id=19173",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"name": "https://www.htbridge.com/advisory/HTB23085",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"name": "http://piwigo.org/releases/2.3.4",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"name": "piwigo-language-directory-traversal(75185)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185"
},
{
"name": "53245",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53245"
},
{
"name": "48903",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48903"
},
{
"name": "http://piwigo.org/bugs/view.php?id=2607",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"name": "20120425 Multiple vulnerabilities in Piwigo",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2208",
"datePublished": "2012-08-14T22:00:00",
"dateReserved": "2012-04-04T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44393
Vulnerability from cvelistv5
Published
2023-10-09 14:52
Modified
2024-09-19 13:51
Severity ?
EPSS score ?
Summary
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:32.753Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "piwigo",
"vendor": "piwigo",
"versions": [
{
"lessThan": "14.0.0beta4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44393",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T13:38:37.063877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T13:51:52.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Piwigo",
"vendor": "Piwigo",
"versions": [
{
"status": "affected",
"version": "\u003c 14.0.0beta4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins\u0026tab=new\u0026installstatus=ok\u0026plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins\u0026tab=new\u0026installstatus=ok\u0026plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-09T14:52:42.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23"
}
],
"source": {
"advisory": "GHSA-qg85-957m-7vgg",
"discovery": "UNKNOWN"
},
"title": "Piwigo Reflected XSS vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44393",
"datePublished": "2023-10-09T14:52:42.879Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-09-19T13:51:52.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34626
Vulnerability from cvelistv5
Published
2023-06-15 00:00
Modified
2024-12-18 16:14
Severity ?
EPSS score ?
Summary
Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:17:04.174Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1924"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34626",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-18T16:14:36.399249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T16:14:51.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.7.0 is vulnerable to SQL Injection via the \"Users\" function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-15T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/1924"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-34626",
"datePublished": "2023-06-15T00:00:00",
"dateReserved": "2023-06-07T00:00:00",
"dateUpdated": "2024-12-18T16:14:51.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-9452
Vulnerability from cvelistv5
Published
2017-06-06 16:00
Modified
2024-09-17 00:01
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/667 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:01.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/667"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-06T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/667"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9452",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/667",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/667"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9452",
"datePublished": "2017-06-06T16:00:00Z",
"dateReserved": "2017-06-06T00:00:00Z",
"dateUpdated": "2024-09-17T00:01:09.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40553
Vulnerability from cvelistv5
Published
2022-06-28 16:22
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Yang9999999/vuln/blob/main/README.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:44:10.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Yang9999999/vuln/blob/main/README.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T16:22:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Yang9999999/vuln/blob/main/README.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40553",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Yang9999999/vuln/blob/main/README.md",
"refsource": "MISC",
"url": "https://github.com/Yang9999999/vuln/blob/main/README.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40553",
"datePublished": "2022-06-28T16:22:23",
"dateReserved": "2021-09-07T00:00:00",
"dateUpdated": "2024-08-04T02:44:10.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-5692
Vulnerability from cvelistv5
Published
2018-01-14 04:00
Modified
2024-08-05 05:40
Severity ?
EPSS score ?
Summary
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.vulnerability-lab.com/get_content.php?id=2005 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:40:51.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2005"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-14T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2005"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-5692",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.vulnerability-lab.com/get_content.php?id=2005",
"refsource": "MISC",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2005"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-5692",
"datePublished": "2018-01-14T04:00:00",
"dateReserved": "2018-01-13T00:00:00",
"dateUpdated": "2024-08-05T05:40:51.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13363
Vulnerability from cvelistv5
Published
2019-09-13 12:22
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.com | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2019/Sep/25 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2020/Jun/29 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://piwigo.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm\u0026#95;send\u0026#95;html\u0026#95;mail, nbm\u0026#95;send\u0026#95;mail\u0026#95;as, nbm\u0026#95;send\u0026#95;detailed\u0026#95;content, nbm\u0026#95;complementary\u0026#95;mail\u0026#95;content, nbm\u0026#95;send\u0026#95;recent\u0026#95;post\u0026#95;dates, or param\u0026#95;submit parameter. This is exploitable via CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-23T20:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://piwigo.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm\u0026#95;send\u0026#95;html\u0026#95;mail, nbm\u0026#95;send\u0026#95;mail\u0026#95;as, nbm\u0026#95;send\u0026#95;detailed\u0026#95;content, nbm\u0026#95;complementary\u0026#95;mail\u0026#95;content, nbm\u0026#95;send\u0026#95;recent\u0026#95;post\u0026#95;dates, or param\u0026#95;submit parameter. This is exploitable via CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://piwigo.com",
"refsource": "MISC",
"url": "https://piwigo.com"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"name": "http://seclists.org/fulldisclosure/2019/Sep/25",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"name": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "20200623 GilaCMS - CVE-2019-13364 CVE-2019-13363",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13363",
"datePublished": "2019-09-13T12:22:58",
"dateReserved": "2019-07-06T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8089
Vulnerability from cvelistv5
Published
2020-02-10 15:12
Modified
2024-08-04 09:48
Severity ?
EPSS score ?
Summary
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.org/forum/viewforum.php?id=23 | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues/1150 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.487Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://piwigo.org/forum/viewforum.php?id=23"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1150"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-10T15:12:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://piwigo.org/forum/viewforum.php?id=23"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1150"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://piwigo.org/forum/viewforum.php?id=23",
"refsource": "MISC",
"url": "https://piwigo.org/forum/viewforum.php?id=23"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/1150",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/1150"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8089",
"datePublished": "2020-02-10T15:12:30",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-04T09:48:25.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-37183
Vulnerability from cvelistv5
Published
2022-08-31 17:09
Modified
2024-08-03 10:21
Severity ?
EPSS score ?
Summary
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:33.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-31T17:09:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0",
"refsource": "MISC",
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37183",
"datePublished": "2022-08-31T17:09:50",
"dateReserved": "2022-08-01T00:00:00",
"dateUpdated": "2024-08-03T10:21:33.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-26267
Vulnerability from cvelistv5
Published
2022-03-18 22:57
Modified
2024-08-03 04:56
Severity ?
EPSS score ?
Summary
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.932Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-18T22:57:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26267",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md",
"refsource": "MISC",
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26267",
"datePublished": "2022-03-18T22:57:03",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-08-03T04:56:37.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-4613
Vulnerability from cvelistv5
Published
2018-03-16 17:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/oss-sec/2014/q2/623 | mailing-list, x_refsource_MLIST | |
| http://www.exploit-db.com/exploits/31916 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/65811 | vdb-entry, x_refsource_BID | |
| http://seclists.org/oss-sec/2014/q2/610 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/show/osvdb/103774 | vdb-entry, x_refsource_OSVDB | |
| http://piwigo.org/bugs/view.php?id=0003055 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.6.2 | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:20:26.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"name": "31916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/31916"
},
{
"name": "65811",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65811"
},
{
"name": "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2014/q2/610"
},
{
"name": "103774",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/103774"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.6.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-16T16:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"name": "31916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/31916"
},
{
"name": "65811",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65811"
},
{
"name": "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2014/q2/610"
},
{
"name": "103774",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/103774"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.6.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4613",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140624 Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"name": "31916",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/31916"
},
{
"name": "65811",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65811"
},
{
"name": "[oss-security] 20140623 CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2014/q2/610"
},
{
"name": "103774",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/103774"
},
{
"name": "http://piwigo.org/bugs/view.php?id=0003055",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"name": "http://piwigo.org/releases/2.6.2",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.6.2"
},
{
"name": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4613",
"datePublished": "2018-03-16T17:00:00",
"dateReserved": "2014-06-24T00:00:00",
"dateUpdated": "2024-08-06T11:20:26.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17774
Vulnerability from cvelistv5
Published
2017-12-20 03:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
admin/configuration.php in Piwigo 2.9.2 has CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | x_refsource_MISC | |
| https://github.com/Piwigo/Piwigo/issues/822 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "admin/configuration.php in Piwigo 2.9.2 has CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-20T03:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "admin/configuration.php in Piwigo 2.9.2 has CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md",
"refsource": "MISC",
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/822",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/822"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17774",
"datePublished": "2017-12-20T03:00:00",
"dateReserved": "2017-12-19T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-4649
Vulnerability from cvelistv5
Published
2014-06-28 15:00
Modified
2024-08-06 11:20
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/bugs/view.php?id=3089 | x_refsource_CONFIRM | |
| http://piwigo.org/bugs/changelog_page.php | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:20:26.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/changelog_page.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-28T15:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/changelog_page.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4649",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/bugs/view.php?id=3089",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"name": "http://piwigo.org/bugs/changelog_page.php",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/changelog_page.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4649",
"datePublished": "2014-06-28T15:00:00",
"dateReserved": "2014-06-25T00:00:00",
"dateUpdated": "2024-08-06T11:20:26.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17775
Vulnerability from cvelistv5
Published
2017-12-20 03:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-20T03:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17775",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md",
"refsource": "MISC",
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17775",
"datePublished": "2017-12-20T03:00:00",
"dateReserved": "2017-12-19T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-26876
Vulnerability from cvelistv5
Published
2023-04-21 00:00
Modified
2025-02-13 16:44
Severity ?
EPSS score ?
Summary
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:30.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tempest.com.br"
},
{
"tags": [
"x_transferred"
],
"url": "https://piwigo.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693"
},
{
"name": "20230428 Piwigo - CVE-2023-26876",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Apr/13"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-26876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T21:23:38.126996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T21:24:33.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history\u0026filter_image_id=\u0026filter_user_id endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-28T10:06:08.259Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.tempest.com.br"
},
{
"url": "https://piwigo.com"
},
{
"url": "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693"
},
{
"name": "20230428 Piwigo - CVE-2023-26876",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2023/Apr/13"
},
{
"url": "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-26876",
"datePublished": "2023-04-21T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:44:58.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-10679
Vulnerability from cvelistv5
Published
2017-06-29 21:00
Modified
2024-08-05 17:41
Severity ?
EPSS score ?
Summary
Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99380 | vdb-entry, x_refsource_BID | |
| https://github.com/Piwigo/Piwigo/issues/721 | x_refsource_CONFIRM | |
| https://github.com/Piwigo/Piwigo/issues/723 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:41:55.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99380",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99380"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/723"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-05T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99380",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99380"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/issues/723"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-10679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99380",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99380"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/721",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"name": "https://github.com/Piwigo/Piwigo/issues/723",
"refsource": "CONFIRM",
"url": "https://github.com/Piwigo/Piwigo/issues/723"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-10679",
"datePublished": "2017-06-29T21:00:00",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-08-05T17:41:55.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40678
Vulnerability from cvelistv5
Published
2022-06-14 12:16
Modified
2024-08-04 02:51
Severity ?
EPSS score ?
Summary
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1476 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:51:06.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1476"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager\u0026mode=unit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T12:16:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1476"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-40678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager\u0026mode=unit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1476",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1476"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-40678",
"datePublished": "2022-06-14T12:16:48",
"dateReserved": "2021-09-07T00:00:00",
"dateUpdated": "2024-08-04T02:51:06.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-1980
Vulnerability from cvelistv5
Published
2014-08-14 01:00
Modified
2024-08-06 09:58
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN80310172/index.html | third-party-advisory, x_refsource_JVN | |
| http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092 | third-party-advisory, x_refsource_JVNDB | |
| http://piwigo.org/bugs/view.php?id=2805 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#80310172",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN80310172/index.html"
},
{
"name": "JVNDB-2014-000092",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB",
"x_transferred"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=2805"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-08-14T00:57:00",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#80310172",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN80310172/index.html"
},
{
"name": "JVNDB-2014-000092",
"tags": [
"third-party-advisory",
"x_refsource_JVNDB"
],
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=2805"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2014-1980",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#80310172",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN80310172/index.html"
},
{
"name": "JVNDB-2014-000092",
"refsource": "JVNDB",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092"
},
{
"name": "http://piwigo.org/bugs/view.php?id=2805",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=2805"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2014-1980",
"datePublished": "2014-08-14T01:00:00",
"dateReserved": "2014-02-17T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-19217
Vulnerability from cvelistv5
Published
2022-05-06 13:55
Modified
2024-08-04 14:08
Severity ?
EPSS score ?
Summary
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Piwigo/Piwigo/issues/1012 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.637Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1012"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-06T13:55:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1012"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19217",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/1012",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/1012"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19217",
"datePublished": "2022-05-06T13:55:59",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27233
Vulnerability from cvelistv5
Published
2023-05-17 00:00
Modified
2025-01-22 19:44
Severity ?
EPSS score ?
Summary
Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1872"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27233",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T19:44:13.187387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T19:44:16.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245"
},
{
"url": "https://github.com/Piwigo/Piwigo/issues/1872"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27233",
"datePublished": "2023-05-17T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-01-22T19:44:16.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33361
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 15:34
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:47:05.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1910"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-33361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T15:34:30.264938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T15:34:35.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-23T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/1910"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-33361",
"datePublished": "2023-05-23T00:00:00.000Z",
"dateReserved": "2023-05-22T00:00:00.000Z",
"dateUpdated": "2025-01-31T15:34:35.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-9468
Vulnerability from cvelistv5
Published
2020-03-26 19:12
Modified
2024-08-04 10:26
Severity ?
EPSS score ?
Summary
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://piwigo.org/ext/extension_view.php?eid=303 | x_refsource_MISC | |
| https://github.com/plegall/Piwigo-community/issues/49 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://piwigo.org/ext/extension_view.php?eid=303"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/plegall/Piwigo-community/issues/49"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-26T19:12:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://piwigo.org/ext/extension_view.php?eid=303"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/plegall/Piwigo-community/issues/49"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-9468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://piwigo.org/ext/extension_view.php?eid=303",
"refsource": "MISC",
"url": "https://piwigo.org/ext/extension_view.php?eid=303"
},
{
"name": "https://github.com/plegall/Piwigo-community/issues/49",
"refsource": "MISC",
"url": "https://github.com/plegall/Piwigo-community/issues/49"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-9468",
"datePublished": "2020-03-26T19:12:15",
"dateReserved": "2020-02-28T00:00:00",
"dateUpdated": "2024-08-04T10:26:16.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-17827
Vulnerability from cvelistv5
Published
2017-12-21 04:00
Modified
2024-08-05 20:59
Severity ?
EPSS score ?
Summary
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:59:17.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration\u0026section=main or /admin.php?page=batch_manager\u0026mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration\u0026section=main or /admin.php?page=batch_manager\u0026mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Piwigo/Piwigo/issues/822",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f",
"refsource": "MISC",
"url": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f"
},
{
"name": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md",
"refsource": "MISC",
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17827",
"datePublished": "2017-12-21T04:00:00",
"dateReserved": "2017-12-20T00:00:00",
"dateUpdated": "2024-08-05T20:59:17.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-1468
Vulnerability from cvelistv5
Published
2013-03-12 16:00
Modified
2024-09-16 16:38
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://piwigo.org/forum/viewtopic.php?id=21470 | x_refsource_CONFIRM | |
| http://piwigo.org/releases/2.4.7 | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23144 | x_refsource_MISC | |
| http://secunia.com/advisories/52228 | third-party-advisory, x_refsource_SECUNIA | |
| http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/24561 | exploit, x_refsource_EXPLOIT-DB | |
| http://piwigo.org/bugs/view.php?id=0002844 | x_refsource_CONFIRM | |
| http://www.osvdb.org/90504 | vdb-entry, x_refsource_OSVDB | |
| http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:04:49.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/releases/2.4.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"name": "52228",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52228"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://piwigo.org/bugs/view.php?id=0002844"
},
{
"name": "90504",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/90504"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-03-12T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/releases/2.4.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"name": "52228",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52228"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://piwigo.org/bugs/view.php?id=0002844"
},
{
"name": "90504",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/90504"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-1468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://piwigo.org/forum/viewtopic.php?id=21470",
"refsource": "CONFIRM",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"name": "http://piwigo.org/releases/2.4.7",
"refsource": "CONFIRM",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"name": "https://www.htbridge.com/advisory/HTB23144",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"name": "52228",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/52228"
},
{
"name": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"name": "24561",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"name": "http://piwigo.org/bugs/view.php?id=0002844",
"refsource": "CONFIRM",
"url": "http://piwigo.org/bugs/view.php?id=0002844"
},
{
"name": "90504",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/90504"
},
{
"name": "20130227 Multiple Vulnerabilities in Piwigo",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-1468",
"datePublished": "2013-03-12T16:00:00Z",
"dateReserved": "2013-01-29T00:00:00Z",
"dateUpdated": "2024-09-16T16:38:45.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-33359
Vulnerability from cvelistv5
Published
2023-05-23 00:00
Modified
2025-01-31 17:29
Severity ?
EPSS score ?
Summary
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:47:05.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1908"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-33359",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T18:47:29.908823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T17:29:19.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the \"add tags\" function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-23T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Piwigo/Piwigo/issues/1908"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-33359",
"datePublished": "2023-05-23T00:00:00.000Z",
"dateReserved": "2023-05-22T00:00:00.000Z",
"dateUpdated": "2025-01-31T17:29:19.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-37270
Vulnerability from cvelistv5
Published
2023-07-07 21:26
Modified
2024-10-18 18:37
Severity ?
EPSS score ?
Summary
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a"
},
{
"name": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491"
},
{
"name": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621"
},
{
"name": "https://piwigo.org/release-13.8.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://piwigo.org/release-13.8.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "piwigo",
"vendor": "piwigo",
"versions": [
{
"lessThan": "13.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37270",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T18:06:38.544954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T18:37:52.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Piwigo",
"vendor": "Piwigo",
"versions": [
{
"status": "affected",
"version": "\u003c 13.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-07T21:26:28.573Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx"
},
{
"name": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a"
},
{
"name": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491"
},
{
"name": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621"
},
{
"name": "https://piwigo.org/release-13.8.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://piwigo.org/release-13.8.0"
}
],
"source": {
"advisory": "GHSA-934w-qj9p-3qcx",
"discovery": "UNKNOWN"
},
"title": "Piwigo SQL Injection vulnerability in \"User-Agent\""
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37270",
"datePublished": "2023-07-07T21:26:28.573Z",
"dateReserved": "2023-06-29T19:35:26.439Z",
"dateUpdated": "2024-10-18T18:37:52.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-12-06 21:15
Modified
2024-11-21 06:23
Severity ?
Summary
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1469 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1469 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BC6DF8-D938-4413-B4C7-132BCC938E68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php."
},
{
"lang": "es",
"value": "Se ha detectado que Piwigo versi\u00f3n v11.5, contiene una vulnerabilidad de inyecci\u00f3n SQL por medio del par\u00e1metro pwg_token en el archivo /admin/batch_manager_global.php"
}
],
"id": "CVE-2021-40313",
"lastModified": "2024-11-21T06:23:51.027",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-06T21:15:07.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1469"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-28 20:15
Modified
2024-11-21 02:50
Severity ?
Summary
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "294E7F72-0D7D-4B0C-B05E-B58EFB07CF35",
"versionEndExcluding": "2.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset."
},
{
"lang": "es",
"value": "Piwigo es un software de galer\u00eda de im\u00e1genes escrito en PHP. Cuando no es cumplido un criterio en un host, piwigo usa por defecto mt_rand para generar tokens de restablecimiento de contrase\u00f1a. La salida de mt_rand puede predecirse tras recuperar la semilla usada para generarla. Esto permite a un atacante no autenticado hacerse con una cuenta siempre que conozca la direcci\u00f3n de correo electr\u00f3nico del administrador para poder solicitar el restablecimiento de la contrase\u00f1a"
}
],
"id": "CVE-2016-3735",
"lastModified": "2024-11-21T02:50:36.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-28T20:15:08.437",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://piwigo.org/release-2.8.1%2C"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/Piwigo/Piwigo/issues/470%2C"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/release-2.8.1%2C"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f51ee90c66527fd7ff634f3e8d414cb670da068d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/Piwigo/Piwigo/issues/470%2C"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-335"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-335"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F28058B1-07D1-458C-8AC2-C2914FE4516F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible."
},
{
"lang": "es",
"value": "El panel de gesti\u00f3n en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el par\u00e1metro name en una petici\u00f3n /ws.php?format=json. Podr\u00eda ser posible la explotaci\u00f3n de CSRF, relacionada con CVE-2017-10681."
}
],
"id": "CVE-2018-7722",
"lastModified": "2024-11-21T04:12:36.203",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-06T17:29:00.323",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-14 19:29
Modified
2024-11-21 03:36
Severity ?
Summary
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/706 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/706 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1931608C-2835-4E94-AC78-CCBB6C9EC9E5",
"versionEndIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the \"redirect\" parameter is not validated."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Redireccionamiento Abierto est\u00e1 presente en Piwigo versi\u00f3n 2.9 y anteriores, lo que permite a los atacantes remotos redireccionar a los usuarios a sitios web arbitrarios y conducir ataques de phishing. El componente del archivo identification.php se ve afectado por este problema: el par\u00e1metro \"redirect\" no es comprobado."
}
],
"id": "CVE-2017-9464",
"lastModified": "2024-11-21T03:36:11.313",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T19:29:00.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/706"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/706"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-007"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95166 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/575 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95166 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/575 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251",
"versionEndIncluding": "2.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en admin/plugin.php en Piwigo hasta la versi\u00f3n 2.8.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nombre de archivo manipulado que se maneja de manera incorrecta en un cierto caso de error."
}
],
"id": "CVE-2016-10083",
"lastModified": "2024-11-21T02:43:15.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-30T07:59:00.190",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95166"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/575"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95166"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/7df3830c81716b959a2d0d3a0d8216b860ae0dc7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/575"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-07-07 22:15
Modified
2024-11-21 08:11
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9188B4E-C34F-4967-8D30-2AE1AEB51C50",
"versionEndExcluding": "13.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately."
}
],
"id": "CVE-2023-37270",
"lastModified": "2024-11-21T08:11:21.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-07T22:15:09.570",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://piwigo.org/release-13.8.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/functions.inc.php#L621"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/978425527d6c113887f845d75cf982bbb62d761a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-934w-qj9p-3qcx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://piwigo.org/release-13.8.0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D356328-15B0-4402-94E6-8C16E09EB088",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el backend administrativo en Piwigo hasta la versi\u00f3n 2.9.2 permite que usuarios remotos ejecuten comandos SQL arbitrarios mediante los par\u00e1metros cat_false o cat_true en la p\u00e1gina de comentarios o de estado en cat_options.php."
}
],
"id": "CVE-2017-10682",
"lastModified": "2024-11-21T03:06:17.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-29T21:29:00.330",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/99357"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/724"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/43337/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/99357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/3dd6812412289a199564e63fffd0a9754010b9e0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/724"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/43337/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-01 17:29
Modified
2024-11-21 03:17
Severity ?
Summary
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/804 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/804 | Issue Tracking |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A17106BD-7461-4A08-AFAC-E79CFC54268C",
"versionEndIncluding": "2.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Piwigo se ve afectada por una vulnerabilidad de inyecci\u00f3n SQL en la versi\u00f3n 2.9.2 y posiblemente en las anteriores. Esta vulnerabilidad permite que los atacantes remotos autenticados obtengan informaci\u00f3n en el contexto del usuario utilizado por la aplicaci\u00f3n para recuperar datos de la base de datos. tags.php se ve afectado: los valores de los par\u00e1metros edit_list no est\u00e1n sanitizados; se utilizan para construir una consulta SQL y recuperar una lista de usuarios registrados en la aplicaci\u00f3n."
}
],
"id": "CVE-2017-16893",
"lastModified": "2024-11-21T03:17:11.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-01T17:29:00.543",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues/804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues/804"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-14 13:15
Modified
2024-11-21 06:24
Severity ?
Summary
In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1476 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1476 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BC6DF8-D938-4413-B4C7-132BCC938E68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager\u0026mode=unit."
},
{
"lang": "es",
"value": "En Piwigo versi\u00f3n 11.5.0, se presenta una vulnerabilidad de tipo cross-site scripting persistente en la funci\u00f3n de modo \u00fanico mediante /admin.php?page=batch_manager\u0026amp;mode=unit"
}
],
"id": "CVE-2021-40678",
"lastModified": "2024-11-21T06:24:33.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-14T13:15:07.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1476"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-03 16:59
Modified
2024-11-21 02:25
Severity ?
Summary
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/forum/viewtopic.php?id=25016 | Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.5.6 | Patch, Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.6.5 | Patch, Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.7.3 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/62606 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/72400 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/forum/viewtopic.php?id=25016 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.5.6 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.6.5 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.7.3 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/62606 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/72400 |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61D5A594-379F-42FF-BC3E-01793AE929FE",
"versionEndIncluding": "2.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B95C9758-4EE5-4690-8EDF-575907C3A15A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6EDF6D0E-33DD-483C-996F-D6159A744BA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "533214A7-83F9-49E1-BF53-DA53E5AE2F82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "92705F58-8812-43D0-A35E-5695A60BBD0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BBB74696-421F-4414-BB75-996107E2A12B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "41B4D40F-2571-4729-BBF6-1014C7A3DC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5C68DAF3-6C49-438A-881B-A261B267C55A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5E0A6114-5FC1-41C2-8F89-9EE6B76E5E0F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de SQL en Piwigo anterior a 2.5.6, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-1441",
"lastModified": "2024-11-21T02:25:25.993",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-03T16:59:26.563",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25016"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.5.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.6.5"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.3"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/62606"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72400"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25016"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.5.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.6.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/62606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72400"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F28058B1-07D1-458C-8AC2-C2914FE4516F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible."
},
{
"lang": "es",
"value": "El panel de gesti\u00f3n en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el par\u00e1metro name en una petici\u00f3n /admin.php?page=photo-${photo_number}. Podr\u00eda ser posible la explotaci\u00f3n de CSRF, relacionada con CVE-2017-10681."
}
],
"id": "CVE-2018-7724",
"lastModified": "2024-11-21T04:12:36.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-06T17:29:00.433",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-10 18:15
Modified
2024-11-21 06:32
Severity ?
Summary
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1582 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1582 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BDC77171-712D-461F-83B8-953EB077F285",
"versionEndIncluding": "12.1.0",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Piwigo versi\u00f3n 12.x, por medio de la funci\u00f3n pwg_activity en el archivo include/functions.inc.php"
}
],
"id": "CVE-2021-45357",
"lastModified": "2024-11-21T06:32:08.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-10T18:15:08.383",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1582"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1582"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:26
Severity ?
Summary
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C56A23-6191-4B62-82F3-35527976E603",
"versionEndIncluding": "2.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el backend administrativo en Piwigo en versiones anteriores a 2.7.4 permite a administradores remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro user en la p\u00e1gina del historial a admin.php."
}
],
"id": "CVE-2015-2035",
"lastModified": "2024-11-21T02:26:37.757",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-20T16:59:07.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72689"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-20 03:29
Modified
2024-11-21 03:18
Severity ?
Summary
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request."
},
{
"lang": "es",
"value": "Piwigo tiene una vulnerabilidad de Cross-Site Scripting (XSS) mediante el par\u00e1metro name en una petici\u00f3n admin.php?page=album-3-properties."
}
],
"id": "CVE-2017-17775",
"lastModified": "2024-11-21T03:18:38.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-20T03:29:00.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99380 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/723 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99380 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/723 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D356328-15B0-4402-94E6-8C16E09EB088",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed."
},
{
"lang": "es",
"value": "Piwigo hasta la versi\u00f3n 2.9.1 permite que atacantes remotos obtengan informaci\u00f3n sensible sobre el nombre descriptivo de un v\u00ednculo permanente examinando la URL de redirecci\u00f3n que se devuelve en una petici\u00f3n para el n\u00famero de ID del v\u00ednculo permanente de un \u00e1lbum privado. Los n\u00fameros de ID del v\u00ednculo permanente se adivinan f\u00e1cilmente."
}
],
"id": "CVE-2017-10679",
"lastModified": "2024-11-21T03:06:16.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-29T21:29:00.237",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/99380"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/723"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/99380"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/723"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-09 15:15
Modified
2024-11-21 08:25
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A9A51DBC-EA76-4B8F-8DE6-7745C843A675",
"versionEndIncluding": "13.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:14.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "C56DF199-9F77-4651-B7C7-B592A9C65AF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:14.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "7CBD8ECB-841F-4C29-A7DF-72F5D2FBBC99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:14.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2AB2327B-CFBB-4863-BEC1-B92F0602AF3A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins\u0026tab=new\u0026installstatus=ok\u0026plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins\u0026tab=new\u0026installstatus=ok\u0026plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue."
},
{
"lang": "es",
"value": "Piwigo es una aplicaci\u00f3n de galer\u00eda de fotograf\u00edas de c\u00f3digo abierto. Antes de la versi\u00f3n 14.0.0beta4, una vulnerabilidad de Cross-Site Scripting (XSS) reflejada se encuentra en la p\u00e1gina ` /admin.php?page=plugins\u0026amp;tab=new\u0026amp;installstatus=ok\u0026amp;plugin_id=[here]`. Un atacante puede aprovechar esta vulnerabilidad para inyectar c\u00f3digo HTML y JS malicioso en la p\u00e1gina HTML, que luego los usuarios administradores podr\u00edan ejecutar cuando visiten la URL con el payload. La vulnerabilidad se debe a la inyecci\u00f3n insegura del valor `plugin_id` de la URL en la p\u00e1gina HTML. Un atacante puede aprovechar esta vulnerabilidad creando una URL maliciosa que contenga un valor \"plugin_id\" especialmente manipulado. Cuando una v\u00edctima que ha iniciado sesi\u00f3n como administrador visita esta URL, el c\u00f3digo malicioso se inyectar\u00e1 en la p\u00e1gina HTML y se ejecutar\u00e1. Esta vulnerabilidad puede ser aprovechada por cualquier atacante que tenga acceso a una URL maliciosa. Sin embargo, s\u00f3lo se ven afectados los usuarios que han iniciado sesi\u00f3n como administradores. Esto se debe a que la vulnerabilidad solo est\u00e1 presente en la p\u00e1gina `/admin.php?page=plugins\u0026amp;tab=new\u0026amp;installstatus=ok\u0026amp;plugin_id=[here]`, a la que solo pueden acceder los administradores. La versi\u00f3n 14.0.0.beta4 contiene un parche para este problema."
}
],
"id": "CVE-2023-44393",
"lastModified": "2024-11-21T08:25:48.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-09T15:15:10.057",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/security/advisories/GHSA-qg85-957m-7vgg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95167 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95167 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251",
"versionEndIncluding": "2.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter."
},
{
"lang": "es",
"value": "admin/languages.php en Piwigo hasta la versi\u00f3n 2.8.3 permite a administradores remotos autenticados llevar a cabo ataques File Inclusion a trav\u00e9s del par\u00e1metro tab."
}
],
"id": "CVE-2016-10085",
"lastModified": "2024-11-21T02:43:16.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-30T07:59:00.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95167"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95167"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/4b33a0fd199fd445b15a49927ea6a9a153e3877d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/573#issuecomment-267974558"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1911 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1911 | Exploit, Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:13.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B279DE47-F1F5-4BB9-A47B-1C9B73DD9076",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to SQL Injection via in the \"profile\" function."
}
],
"id": "CVE-2023-33362",
"lastModified": "2025-01-31T16:15:30.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-23T14:15:09.917",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1911"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1911"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1010 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1010 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el archivo cat_move.php en piwigo versi\u00f3n v2.9.5, por medio del par\u00e1metro selection de move_categories"
}
],
"id": "CVE-2020-19213",
"lastModified": "2024-11-21T05:09:02.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T14:15:08.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1010"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99383 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99383 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D356328-15B0-4402-94E6-8C16E09EB088",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-Site Request Forgery (CSRF) en Piwigo hasta la versi\u00f3n 2.9.1 permite que atacantes remotos secuestren la autenticaci\u00f3n de usuarios para peticiones que eliminan v\u00ednculos permanentes mediante una petici\u00f3n manipulada."
}
],
"id": "CVE-2017-10678",
"lastModified": "2024-11-21T03:06:16.783",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-29T21:29:00.190",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/99383"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/99383"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-02 19:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1352 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1352 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE6825BB-C574-480F-92B6-5A7D8E70BFD9",
"versionEndExcluding": "11.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages."
},
{
"lang": "es",
"value": "Una inyecci\u00f3n SQL se presenta en Piwigo versiones anteriores a 11.4.0, por medio del par\u00e1metro language en admin.php?page=languages."
}
],
"id": "CVE-2021-27973",
"lastModified": "2024-11-21T05:58:56.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-02T19:15:20.880",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1352"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1352"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99362 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99362 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D356328-15B0-4402-94E6-8C16E09EB088",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Piwigo hasta la versi\u00f3n 2.9.1 permite que atacantes remotos secuestren la autenticaci\u00f3n de usuarios para peticiones que desbloquean \u00e1lbumes mediante una petici\u00f3n manipulada."
}
],
"id": "CVE-2017-10681",
"lastModified": "2024-11-21T03:06:17.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-29T21:29:00.297",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/99362"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/99362"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
},
{
"lang": "es",
"value": "El componente Configuration de Piwigo 2.9.2 es vulnerable a inyecci\u00f3n SQL mediante el par\u00e1metro de array order_by en admin/configuration.php. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada."
}
],
"id": "CVE-2017-17823",
"lastModified": "2024-11-21T03:18:45.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/826"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/826"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-06 17:29
Modified
2024-11-21 04:12
Severity ?
Summary
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F28058B1-07D1-458C-8AC2-C2914FE4516F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible."
},
{
"lang": "es",
"value": "El panel de gesti\u00f3n en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el par\u00e1metro virtual_name en una petici\u00f3n /admin.php?page=cat_list. Este problema es diferente de CVE-2017-9836. Podr\u00eda ser posible la explotaci\u00f3n de CSRF, relacionada con CVE-2017-10681."
}
],
"id": "CVE-2018-7723",
"lastModified": "2024-11-21T04:12:36.340",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-06T17:29:00.370",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-13 13:15
Modified
2024-11-21 04:24
Severity ?
Summary
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm\u0026#95;send\u0026#95;html\u0026#95;mail, nbm\u0026#95;send\u0026#95;mail\u0026#95;as, nbm\u0026#95;send\u0026#95;detailed\u0026#95;content, nbm\u0026#95;complementary\u0026#95;mail\u0026#95;content, nbm\u0026#95;send\u0026#95;recent\u0026#95;post\u0026#95;dates, or param\u0026#95;submit parameter. This is exploitable via CSRF."
},
{
"lang": "es",
"value": "admin.php?page=notify_by_mail en Piwigo versi\u00f3n 2.9.5 presenta una vulnerabilidad de tipo XSS por medio del par\u00e1metro nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, o param_submit. Esto es explotable por medio de un ataque de tipo CSRF."
}
],
"id": "CVE-2019-13363",
"lastModified": "2024-11-21T04:24:47.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-13T13:15:11.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://piwigo.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Product"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://piwigo.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-18 23:15
Modified
2024-11-21 06:53
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "81C2A86F-D640-455A-915C-B187ECB741AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php."
},
{
"lang": "es",
"value": "Se ha detectado que Piwigo versi\u00f3n v12.2.0, contiene una vulnerabilidad de inyecci\u00f3n SQL por medio del archivo pwg.users.php"
}
],
"id": "CVE-2022-26266",
"lastModified": "2024-11-21T06:53:40.080",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-18T23:15:07.833",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_SQLinject.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-26 20:15
Modified
2024-11-21 05:40
Severity ?
Summary
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/plegall/Piwigo-community/issues/49 | Patch, Third Party Advisory | |
| cve@mitre.org | https://piwigo.org/ext/extension_view.php?eid=303 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/plegall/Piwigo-community/issues/49 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://piwigo.org/ext/extension_view.php?eid=303 | Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.0:e-beta:*:*:*:*:*:*",
"matchCriteriaId": "43076B11-9615-4DB5-9C54-7105AD92F0AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter."
},
{
"lang": "es",
"value": "El plugin Community versi\u00f3n 2.9.e-beta para Piwigo, permite a usuarios establecer informaci\u00f3n de imagen sobre im\u00e1genes en \u00e1lbumes para los que no tienen permiso, al manipular el par\u00e1metro image_id."
}
],
"id": "CVE-2020-9468",
"lastModified": "2024-11-21T05:40:42.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-26T20:15:11.473",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plegall/Piwigo-community/issues/49"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://piwigo.org/ext/extension_view.php?eid=303"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/plegall/Piwigo-community/issues/49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://piwigo.org/ext/extension_view.php?eid=303"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el archivo admin/user_perm.php en piwigo versi\u00f3n v2.9.5, por medio del par\u00e1metro cat_false en admin.php?page=user_perm"
}
],
"id": "CVE-2020-19215",
"lastModified": "2024-11-21T05:09:02.420",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T14:15:08.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-28 17:15
Modified
2024-11-21 06:24
Severity ?
Summary
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Yang9999999/vuln/blob/main/README.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Yang9999999/vuln/blob/main/README.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BC6DF8-D938-4413-B4C7-132BCC938E68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor."
},
{
"lang": "es",
"value": "piwigo versi\u00f3n 11.5.0, est\u00e1 afectado por una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota (RCE) en el Editor de Archivos Locales"
}
],
"id": "CVE-2021-40553",
"lastModified": "2024-11-21T06:24:22.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-28T17:15:07.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Yang9999999/vuln/blob/main/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Yang9999999/vuln/blob/main/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-30 07:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95164 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95164 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251",
"versionEndIncluding": "2.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page[\u0027tab\u0027] variable (aka the mode parameter)."
},
{
"lang": "es",
"value": "admin/batch_manager.php en Piwigo hasta la versi\u00f3n 2.8.3 permite a administradores remotos autenticados llevar a cabo ataques File Inclusion a trav\u00e9s de la variable $page[\u0027tab\u0027] (tambi\u00e9n conocido como el par\u00e1metro mode)."
}
],
"id": "CVE-2016-10084",
"lastModified": "2024-11-21T02:43:15.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-30T07:59:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95164"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9dd92959f6975099e0c62163a846a4648a6a920f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/572#issuecomment-268252202"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-28 15:55
Modified
2024-11-21 02:10
Severity ?
Summary
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B95C9758-4EE5-4690-8EDF-575907C3A15A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "533214A7-83F9-49E1-BF53-DA53E5AE2F82",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el subsistema photo-edit en Piwigo 2.6.x y 2.7.x anterior a 2.7.0beta2 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del campo associate[]."
}
],
"id": "CVE-2014-4649",
"lastModified": "2024-11-21T02:10:38.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-28T15:55:08.240",
"references": [
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/changelog_page.php"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/changelog_page.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/view.php?id=3089"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-26 20:15
Modified
2024-11-21 05:40
Severity ?
Summary
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1168 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1168 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 2.10.1, presenta una vulnerabilidad de tipo XSS almacenado, por medio del par\u00e1metro file en una petici\u00f3n del archivo /ws.php debido a la funci\u00f3n pwg.images.setInfo."
}
],
"id": "CVE-2020-9467",
"lastModified": "2024-11-21T05:40:42.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-26T20:15:11.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1168"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1168"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-10 20:29
Modified
2024-11-21 02:44
Severity ?
Summary
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.3 | Patch, Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/547 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.3 | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/547 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A4BE149-A8CA-4C7D-9A2F-0ACAEEFB375A",
"versionEndIncluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a \" character, or a URL beginning with a substring other than the http:// or https:// substring."
},
{
"lang": "es",
"value": "url_check_format en include/functions.inc.php en Piwigo, en versiones anteriores a la 2.8.3, permite que atacantes remotos omitan las restricciones de acceso establecidas, mediante una URL que contiene un car\u00e1cter \" (comillas) o una URL que empieza con una subcadena diferente de http:// o https://."
}
],
"id": "CVE-2016-10514",
"lastModified": "2024-11-21T02:44:10.710",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-10T20:29:00.273",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/b3157cbfd859c914911b114d4edbba4654758b57"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/547"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-13 23:15
Modified
2024-11-21 06:07
Severity ?
Summary
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1410 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1410 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B9E1456D-0916-4CBB-BE90-A5AE7E099A38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 11.4.0 permite la inyecci\u00f3n SQL en admin/user_list_backend.php order[0][dir]."
}
],
"id": "CVE-2021-32615",
"lastModified": "2024-11-21T06:07:23.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-13T23:15:07.337",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/2ce1e5952238eba0fe5c5d6537ebdc76cb970b52"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1410"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-11-20 19:30
Modified
2024-11-21 01:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.0.6 | Patch, Vendor Advisory | |
| cve@mitre.org | http://secunia.com/advisories/37336 | Vendor Advisory | |
| cve@mitre.org | http://www.vupen.com/english/advisories/2009/3221 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.0.6 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/37336 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.vupen.com/english/advisories/2009/3221 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCD22CE7-3A0A-48C3-95EB-C9DB3745EAC2",
"versionEndIncluding": "2.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados(XSS) en Piwigo antes de v2.0.6 permite a atacantes remotos inyectar HTML o scripts web a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2009-4039",
"lastModified": "2024-11-21T01:08:47.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-11-20T19:30:00.920",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.0.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37336"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.0.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37336"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3221"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-16 17:29
Modified
2024-11-21 02:10
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:-:*:*:*:*:*:*",
"matchCriteriaId": "DCB952C8-9539-4007-8FD8-08D790953876",
"versionEndExcluding": "2.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el el panel de administraci\u00f3n en versiones anteriores a la 2.6.2 en Piwigo permite que atacantes remotos secuestren la autenticaci\u00f3n de administradores para peticiones que a\u00f1adan usuarios mediante una acci\u00f3n pwg.users.add en una petici\u00f3n en ws.php."
}
],
"id": "CVE-2014-4613",
"lastModified": "2024-11-21T02:10:34.187",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-16T17:29:00.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/show/osvdb/103774"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "http://piwigo.org/releases/2.6.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q2/610"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/31916"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65811"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/show/osvdb/103774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "http://piwigo.org/releases/2.6.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q2/610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/31916"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65811"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-20 03:29
Modified
2024-11-21 03:18
Severity ?
Summary
admin/configuration.php in Piwigo 2.9.2 has CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/822 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/822 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin/configuration.php in Piwigo 2.9.2 has CSRF."
},
{
"lang": "es",
"value": "admin/configuration.php en Piwigo 2.9.2 tiene una vulnerabilidad Cross-Site Request Forgery (CSRF)."
}
],
"id": "CVE-2017-17774",
"lastModified": "2024-11-21T03:18:38.080",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-20T03:29:00.207",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-17 20:15
Modified
2025-01-22 20:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1872 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1872 | Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86097A18-F13B-45AC-B24B-5A879C3A2DE2",
"versionEndExcluding": "13.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php."
}
],
"id": "CVE-2023-27233",
"lastModified": "2025-01-22T20:15:29.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-17T20:15:09.933",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1872"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/renanavs/dcb13bb1cd618ce7eb0c80290b837245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1872"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-14 05:01
Modified
2024-11-21 02:05
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| piwigo | piwigo | * | |
| piwigo | piwigo | 2.0.0 | |
| piwigo | piwigo | 2.0.1 | |
| piwigo | piwigo | 2.0.2 | |
| piwigo | piwigo | 2.0.3 | |
| piwigo | piwigo | 2.0.4 | |
| piwigo | piwigo | 2.0.5 | |
| piwigo | piwigo | 2.0.6 | |
| piwigo | piwigo | 2.0.7 | |
| piwigo | piwigo | 2.0.8 | |
| piwigo | piwigo | 2.0.9 | |
| piwigo | piwigo | 2.0.10 | |
| piwigo | piwigo | 2.1.0 | |
| piwigo | piwigo | 2.1.1 | |
| piwigo | piwigo | 2.1.2 | |
| piwigo | piwigo | 2.1.3 | |
| piwigo | piwigo | 2.1.4 | |
| piwigo | piwigo | 2.1.5 | |
| piwigo | piwigo | 2.1.6 | |
| piwigo | piwigo | 2.2.0 | |
| piwigo | piwigo | 2.2.1 | |
| piwigo | piwigo | 2.2.2 | |
| piwigo | piwigo | 2.2.3 | |
| piwigo | piwigo | 2.2.4 | |
| piwigo | piwigo | 2.2.5 | |
| piwigo | piwigo | 2.3.0 | |
| piwigo | piwigo | 2.3.1 | |
| piwigo | piwigo | 2.3.2 | |
| piwigo | piwigo | 2.3.3 | |
| piwigo | piwigo | 2.3.4 | |
| piwigo | piwigo | 2.3.5 | |
| piwigo | piwigo | 2.4.0 | |
| piwigo | piwigo | 2.4.1 | |
| piwigo | piwigo | 2.4.2 | |
| piwigo | piwigo | 2.4.3 | |
| piwigo | piwigo | 2.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12270F64-8B72-4D5B-912B-D65D1FCA904C",
"versionEndIncluding": "2.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C19CE4F7-2033-44E7-BBD2-70D451692E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "FC5D9559-C2C7-405E-8874-47B227D3CF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E85CC3-7B91-4ABE-A011-7167339F8EB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "608D7317-53DE-4CAB-B396-3C7A6C6B418F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7024F414-7E9A-4FD9-9B34-EB0A5D820E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "068DE0CF-6D52-434D-A118-4D346014B07F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F816C962-4FC3-4763-96BB-15EB27B367D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD204EAB-344D-4569-BB17-3E7C2A5EA92A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CBCC5440-AD21-47F4-BE33-898302981AC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96AC8E7D-5718-42F6-9829-59996D18EDFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A58D540A-4786-411D-AF4F-020120AA65A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7F55F438-AF9D-405C-A1E6-758DE74EFC65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "03F4C388-E6B2-40C5-8C3C-DDD80D619F27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EED818B6-30DE-46C6-B240-FC9B5E5C6A78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1B61AB-ECE7-4E89-9059-2066F08F67AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB10D77F-38E8-4164-A651-399DFB6A4AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F79451CF-562C-4DC1-B03F-7FA354E6C36C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F8474722-3819-418E-9C7E-FADC5EEE3D58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en include/functions_metadata.inc.php en Piwigo anterior a 2.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del campo Make en los metadatos IPTC Exif dentro de un imagen subido al plugin Community."
}
],
"id": "CVE-2014-1980",
"lastModified": "2024-11-21T02:05:23.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-08-14T05:01:49.490",
"references": [
{
"source": "vultures@jpcert.or.jp",
"url": "http://jvn.jp/en/jp/JVN80310172/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=2805"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvn.jp/en/jp/JVN80310172/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=2805"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-29 21:29
Modified
2024-11-21 03:06
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99349 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99349 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/721 | Exploit, Technical Description, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D356328-15B0-4402-94E6-8C16E09EB088",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-Site Request Forgery (CSRF) en Piwigo hasta la versi\u00f3n 2.9.1 permite que atacantes remotos secuestren la autenticaci\u00f3n de usuarios para peticiones para cambiar un \u00e1lbum privado a p\u00fablico mediante una petici\u00f3n manipulada."
}
],
"id": "CVE-2017-10680",
"lastModified": "2024-11-21T03:06:17.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-29T21:29:00.267",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/99349"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/99349"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/03a8329b89c0d196ecdb54227a8113f24555ffc0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/721"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-14 03:13
Modified
2024-11-21 01:49
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C317128C-7749-4BE1-A7D3-88CAB5BE6F67",
"versionEndIncluding": "2.4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D245F2A4-676D-478F-8D0F-E183CF52E656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2E349A00-60C3-426A-B6AA-B940B60B28F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D724AA1-B057-409F-ABCA-064586771118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "38A03451-C199-44DD-A4ED-298B50193FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "752561BC-D824-4264-8697-DD9DE88F7D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "615E6F3A-162D-42F6-A537-442E9ED0B385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "36F26A2A-2175-4665-ACA5-A417A665B662",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D17AE0-823E-41EC-A282-10103975E792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E99613B2-BF99-4A44-9240-9720A17206A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B899A695-73BA-4459-86E4-E96E12FB4CA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7081BEAD-39F5-48EC-B13F-81073D7C4C2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EAC7628A-2083-41A2-8621-DACD3F769C53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D565B05-80D5-400A-ADBB-8DE393798D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7623DB-E676-41B3-A15D-6769BF7E230D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "03BBE4F6-35E8-4935-B657-651D3D822890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6A62DCAD-3C28-4595-9095-90DBA3944BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0064F204-3F3F-4E32-8104-A15ECC8464D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C19CE4F7-2033-44E7-BBD2-70D451692E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "FC5D9559-C2C7-405E-8874-47B227D3CF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E85CC3-7B91-4ABE-A011-7167339F8EB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "608D7317-53DE-4CAB-B396-3C7A6C6B418F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7024F414-7E9A-4FD9-9B34-EB0A5D820E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "068DE0CF-6D52-434D-A118-4D346014B07F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F816C962-4FC3-4763-96BB-15EB27B367D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD204EAB-344D-4569-BB17-3E7C2A5EA92A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CBCC5440-AD21-47F4-BE33-898302981AC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96AC8E7D-5718-42F6-9829-59996D18EDFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A58D540A-4786-411D-AF4F-020120AA65A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7F55F438-AF9D-405C-A1E6-758DE74EFC65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "03F4C388-E6B2-40C5-8C3C-DDD80D619F27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EED818B6-30DE-46C6-B240-FC9B5E5C6A78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1B61AB-ECE7-4E89-9059-2066F08F67AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB10D77F-38E8-4164-A651-399DFB6A4AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F79451CF-562C-4DC1-B03F-7FA354E6C36C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F8474722-3819-418E-9C7E-FADC5EEE3D58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C33A514B-739F-4A78-A868-19860A2F4BCA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para peticiones que crean ficheros arbitrarios PHP a trav\u00e9s de vectores sin especificar."
}
],
"id": "CVE-2013-1468",
"lastModified": "2024-11-21T01:49:39.463",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-03-14T03:13:32.660",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/view.php?id=0002844"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52228"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/90504"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/view.php?id=0002844"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/90504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-21 15:15
Modified
2025-02-04 22:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC474569-D3BC-4BAF-B1AD-FDA7A1DF3E4B",
"versionEndIncluding": "13.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history\u0026filter_image_id=\u0026filter_user_id endpoint."
}
],
"id": "CVE-2023-26876",
"lastModified": "2025-02-04T22:15:39.600",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-21T15:15:07.160",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2023/Apr/13"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://piwigo.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://www.tempest.com.br"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/172059/Piwigo-13.5.0-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2023/Apr/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://piwigo.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.tempest.com.br"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration§ion=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration\u0026section=main or /admin.php?page=batch_manager\u0026mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions."
},
{
"lang": "es",
"value": "Piwigo 2.9.2 es vulnerable a Cross-Site Request Forgery (CSRF) mediante /admin.php?page=configurationsection=main o /admin.php?page=batch_managermode=unit. Un atacante puede explotarlo para forzar a un usuario admin para que realice acciones no esperadas."
}
],
"id": "CVE-2017-17827",
"lastModified": "2024-11-21T03:18:45.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.463",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/822"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-26 13:15
Modified
2024-11-21 06:23
Severity ?
Summary
Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1470 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1470 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BC6DF8-D938-4413-B4C7-132BCC938E68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 11.5.0, est\u00e1 afectado por una vulnerabilidad de inyecci\u00f3n SQL por medio del archivo admin.php y el par\u00e1metro id"
}
],
"id": "CVE-2021-40317",
"lastModified": "2024-11-21T06:23:51.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-26T13:15:08.083",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1470"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1470"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-13 13:15
Modified
2024-11-21 04:24
Severity ?
Summary
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat\u0026#95;number, billing\u0026#95;name, company, or billing\u0026#95;address parameter. This is exploitable via CSRF."
},
{
"lang": "es",
"value": "admin.php?page=account_billing en Piwigo versi\u00f3n 2.9.5, presenta una vulnerabilidad de tipo XSS por medio del par\u00e1metro vat_number, billing_name, company, o billing_address. Esto es explotable por medio de un ataque de tipo CSRF."
}
],
"id": "CVE-2019-13364",
"lastModified": "2024-11-21T04:24:48.147",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-13T13:15:11.447",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://piwigo.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2019/Sep/25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://piwigo.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-02 18:15
Modified
2024-11-21 01:43
Severity ?
Summary
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53E98B96-1C2D-48D9-A110-39FFA4F26D6D",
"versionEndIncluding": "2.4.3",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)"
},
{
"lang": "es",
"value": "piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php (una soluci\u00f3n incompleta para CVE-2012-4525)."
}
],
"id": "CVE-2012-4526",
"lastModified": "2024-11-21T01:43:03.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-02T18:15:09.927",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4526"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4526"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4526"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1012 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1012 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el archivo admin/batch_manager.php en piwigo versi\u00f3n v2.9.5, por medio del par\u00e1metro filter_category en admin.php?page=batch_manager"
}
],
"id": "CVE-2020-19217",
"lastModified": "2024-11-21T05:09:02.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T14:15:08.407",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1012"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1012"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-23 11:59
Modified
2024-11-21 02:20
Severity ?
Summary
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61D5A594-379F-42FF-BC3E-01793AE929FE",
"versionEndIncluding": "2.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B95C9758-4EE5-4690-8EDF-575907C3A15A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE2DA12-FDBC-47DF-AC4A-61581D5941ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9088607E-D33B-4058-A816-47981DBB86CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "533214A7-83F9-49E1-BF53-DA53E5AE2F82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "92705F58-8812-43D0-A35E-5695A60BBD0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "BBB74696-421F-4414-BB75-996107E2A12B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "41B4D40F-2571-4729-BBF6-1014C7A3DC0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5C68DAF3-6C49-438A-881B-A261B267C55A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n rate_picture en include/functions_rate.inc.php en Piwigo anterior a 2.5.5, 2.6.x anterior a 2.6.4, and 2.7.x anterior a 2.7.2 permite a atacantes remotos ejecutar sentencias SQL a trav\u00e9s del par\u00e1metro de valoraci\u00f3n a picture.php, debido a una comparaci\u00f3n de un valor no num\u00e9rico que empiece con un d\u00edgito."
}
],
"id": "CVE-2014-9115",
"lastModified": "2024-11-21T02:20:14.463",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-23T11:59:04.110",
"references": [
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24850"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://piwigo.org/releases/2.7.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://piwigo.org/releases/2.7.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2014/Nov/23"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-24 15:29
Modified
2024-11-21 03:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/716 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/716 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "76057820-1B0F-4F8C-95C5-DA070CCE5623",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album)."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-site Scripting (XSS en Piwigo 2.9.1 permite a un administrador autentificado remoto inyectar un script arbitrario o c\u00f3digo HTML mediante el par\u00e1metro virtual_name a /admin.php (p.e, crear un \u00e1lbum virtual)"
}
],
"id": "CVE-2017-9836",
"lastModified": "2024-11-21T03:36:57.317",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-24T15:29:00.173",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/716"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/716"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-09-24 00:55
Modified
2024-11-21 01:31
Severity ?
Summary
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7024F414-7E9A-4FD9-9B34-EB0A5D820E87",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files."
},
{
"lang": "es",
"value": "Piwigo v2.1.5 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una petici\u00f3n directa a un archivo .php, lo que revela la ruta de instalaci\u00f3n en un mensaje de error, como se demostr\u00f3 con tools/metadata.php y algunos otros archivos."
}
],
"id": "CVE-2011-3790",
"lastModified": "2024-11-21T01:31:16.233",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-24T00:55:02.833",
"references": [
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-01 11:59
Modified
2024-11-21 03:01
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/94637 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/559 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94637 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/559 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0EA2C805-ABFB-49A0-8291-3A5D4548907F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en los resultados de b\u00fasqueda front end en Piwigo 2.8.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro de b\u00fasqueda."
}
],
"id": "CVE-2016-9751",
"lastModified": "2024-11-21T03:01:42.427",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-01T11:59:10.103",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94637"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/559"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/559"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-31 18:15
Modified
2024-11-21 07:14
Severity ?
Summary
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | Exploit, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0 | Exploit, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:12.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "216D5A08-DD04-4FF9-B4A7-95BD8FE8D39E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 12.3.0, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) por medio de /search/1940/created-monthly-list"
}
],
"id": "CVE-2022-37183",
"lastModified": "2024-11-21T07:14:34.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-31T18:15:08.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-01-14 04:29
Modified
2024-11-21 04:09
Severity ?
Summary
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.vulnerability-lab.com/get_content.php?id=2005 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vulnerability-lab.com/get_content.php?id=2005 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5962E3BE-9644-4CD6-9BD1-9BEA4CD53B35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file."
},
{
"lang": "es",
"value": "Piwigo v2.8.2 tiene XSS mediante los par\u00e1metros \"tab\", \"to\", \"section\", \"mode\", \"installstatus\" y \"display\" del archivo \"admin.php\"."
}
],
"id": "CVE-2018-5692",
"lastModified": "2024-11-21T04:09:10.900",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-14T04:29:00.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vulnerability-lab.com/get_content.php?id=2005"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-02 18:15
Modified
2024-11-21 01:43
Severity ?
Summary
piwigo has XSS in password.php
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53E98B96-1C2D-48D9-A110-39FFA4F26D6D",
"versionEndIncluding": "2.4.3",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "piwigo has XSS in password.php"
},
{
"lang": "es",
"value": "piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php."
}
],
"id": "CVE-2012-4525",
"lastModified": "2024-11-21T01:43:03.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-02T18:15:09.850",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4525"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2012/10/18/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/02/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/55710"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2012-4525"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-4525"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-18 23:15
Modified
2024-11-21 06:53
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "81C2A86F-D640-455A-915C-B187ECB741AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php."
},
{
"lang": "es",
"value": "Se ha detectado que Piwigo versi\u00f3n v12.2.0, contiene un filtrado de informaci\u00f3n por medio del par\u00e1metro action en el archivo /admin/maintenance_actions.php"
}
],
"id": "CVE-2022-26267",
"lastModified": "2024-11-21T06:53:40.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-18T23:15:07.870",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/JCCD/Vul/blob/main/Piwigo_12.2.0_InforMation_Disclosure.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-14 22:55
Modified
2024-11-21 01:38
Severity ?
Summary
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9FA2940-9F57-469B-BFEE-5499A87C4394",
"versionEndIncluding": "2.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de recorrido de directorio en upgrade.php en Piwigo antes de v2.3.4 permite a atacantes remotos incluir y ejecutar archivos locales a trav\u00e9s de un .. (punto punto) en el par\u00e1metro labguage (idioma).\r\n"
}
],
"id": "CVE-2012-2208",
"lastModified": "2024-11-21T01:38:42.373",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-14T22:55:01.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48903"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185"
},
{
"source": "cve@mitre.org",
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.htbridge.com/advisory/HTB23085"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-28 18:59
Modified
2024-11-21 03:27
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.6 | Release Notes, Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/95848 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/600 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.6 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95848 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/600 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B6B020F-0D8F-4DCB-A443-6A1398E0B3DA",
"versionEndIncluding": "2.8.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en la funci\u00f3n de carga de im\u00e1genes en Piwigo en versiones anteriores a 2.8.6 permite a un atacantes inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nombre de archivo de imagen manipulado."
}
],
"id": "CVE-2017-5608",
"lastModified": "2024-11-21T03:27:59.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-28T18:59:00.133",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95848"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95848"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/6ec3f2d0fae0437f0c2cc8c475a26fb6aeb0d4cb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/600"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration§ion=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration\u0026section=main request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
},
{
"lang": "es",
"value": "El componente Configuration de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante el par\u00e1metro gallery_title en una petici\u00f3n admin.php?page=configurationsection=main. Un atacante puede explotarlo para secuestrar el navegador de un cliente junto con los datos almacenados en \u00e9l."
}
],
"id": "CVE-2017-17826",
"lastModified": "2024-11-21T03:18:45.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-02 20:55
Modified
2024-11-21 02:10
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6ED8EF7D-FCE9-4A5A-A8FA-5C25AD998F8F",
"versionEndIncluding": "2.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D245F2A4-676D-478F-8D0F-E183CF52E656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2E349A00-60C3-426A-B6AA-B940B60B28F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D724AA1-B057-409F-ABCA-064586771118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "38A03451-C199-44DD-A4ED-298B50193FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "752561BC-D824-4264-8697-DD9DE88F7D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "615E6F3A-162D-42F6-A537-442E9ED0B385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "36F26A2A-2175-4665-ACA5-A417A665B662",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D17AE0-823E-41EC-A282-10103975E792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E99613B2-BF99-4A44-9240-9720A17206A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B899A695-73BA-4459-86E4-E96E12FB4CA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7081BEAD-39F5-48EC-B13F-81073D7C4C2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EAC7628A-2083-41A2-8621-DACD3F769C53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D565B05-80D5-400A-ADBB-8DE393798D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7623DB-E676-41B3-A15D-6769BF7E230D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "03BBE4F6-35E8-4935-B657-651D3D822890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6A62DCAD-3C28-4595-9095-90DBA3944BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0064F204-3F3F-4E32-8104-A15ECC8464D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C19CE4F7-2033-44E7-BBD2-70D451692E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "FC5D9559-C2C7-405E-8874-47B227D3CF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E85CC3-7B91-4ABE-A011-7167339F8EB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "608D7317-53DE-4CAB-B396-3C7A6C6B418F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7024F414-7E9A-4FD9-9B34-EB0A5D820E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "068DE0CF-6D52-434D-A118-4D346014B07F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F816C962-4FC3-4763-96BB-15EB27B367D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD204EAB-344D-4569-BB17-3E7C2A5EA92A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CBCC5440-AD21-47F4-BE33-898302981AC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96AC8E7D-5718-42F6-9829-59996D18EDFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A58D540A-4786-411D-AF4F-020120AA65A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7F55F438-AF9D-405C-A1E6-758DE74EFC65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "03F4C388-E6B2-40C5-8C3C-DDD80D619F27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EED818B6-30DE-46C6-B240-FC9B5E5C6A78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1B61AB-ECE7-4E89-9059-2066F08F67AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB10D77F-38E8-4164-A651-399DFB6A4AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F79451CF-562C-4DC1-B03F-7FA354E6C36C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F8474722-3819-418E-9C7E-FADC5EEE3D58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C33A514B-739F-4A78-A868-19860A2F4BCA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "805F6B66-405F-443F-AB57-21977AC959AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DCEBB44F-F339-4933-B805-42A747C78BE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3D95AB43-2C76-424A-8D0B-2575D9367033",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para solicitudes que utilizan el m\u00e9todo (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove."
}
],
"id": "CVE-2014-4614",
"lastModified": "2024-11-21T02:10:34.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-02T20:55:06.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/releases/2.6.2"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/oss-sec/2014/q2/623"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=0003055"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/releases/2.6.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2014/q2/623"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-21 17:15
Modified
2024-11-21 05:13
Severity ?
Summary
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1158 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1158 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) en el archivo /admin.php?page=permalinks de Piwigo versi\u00f3n 2.10.1 permite a atacantes ejecutar scripts web o HTML arbitrarios"
}
],
"id": "CVE-2020-22150",
"lastModified": "2024-11-21T05:13:07.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-21T17:15:08.167",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1158"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-24 15:15
Modified
2024-11-21 06:50
Severity ?
Summary
Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1605 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1605 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:12.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "81C2A86F-D640-455A-915C-B187ECB741AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster\u0027s cookies to get the webmaster\u0027s access."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 12.2.0, es vulnerable a un ataque de tipo cross-site scripting (XSS) almacenado, que puede conllevar a una escalada de privilegios. De este modo, el administrador puede robar las cookies del webmaster para conseguir su acceso"
}
],
"id": "CVE-2022-24620",
"lastModified": "2024-11-21T06:50:45.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-24T15:15:29.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1605"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1605"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-10 16:15
Modified
2024-11-21 05:38
Severity ?
Summary
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1150 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://piwigo.org/forum/viewforum.php?id=23 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1150 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://piwigo.org/forum/viewforum.php?id=23 | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page."
},
{
"lang": "es",
"value": "Piwigo versi\u00f3n 2.10.1, est\u00e1 afectado por una vulnerabilidad de tipo XSS almacenado por medio del Group Name Field en la p\u00e1gina group_list."
}
],
"id": "CVE-2020-8089",
"lastModified": "2024-11-21T05:38:16.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-10T16:15:14.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1150"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://piwigo.org/forum/viewforum.php?id=23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://piwigo.org/forum/viewforum.php?id=23"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-27 18:15
Modified
2024-11-21 07:32
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1835 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1835 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:13.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4CE9B7C-3D2B-4876-B8E3-5EE46628EA5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross-site scripting (XSS) almacenado en identification.php de Piwigo v13.4.0 permite a los atacantes ejecutar scripts web o HTML de su elecci\u00f3n a trav\u00e9s de un payload manipulado inyectado en el User-Agent."
}
],
"id": "CVE-2022-48007",
"lastModified": "2024-11-21T07:32:41.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-27T18:15:14.947",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1835"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1835"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-14 18:15
Modified
2024-11-21 06:25
Severity ?
Summary
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1477 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1477 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:11.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6BC6DF8-D938-4413-B4C7-132BCC938E68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Piwigo versi\u00f3n 11.5.0, por medio del nombre del \u00e1lbum del sistema y la descripci\u00f3n de la ubicaci\u00f3n"
}
],
"id": "CVE-2021-40882",
"lastModified": "2024-11-21T06:25:00.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-14T18:15:08.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1477"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-03 06:59
Modified
2024-11-21 02:43
Severity ?
Summary
admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95202 | ||
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | Issue Tracking, Patch | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95202 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31 | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc | Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358 | Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78E1C4D0-B42E-4FF9-9DB3-313B2A4A8251",
"versionEndIncluding": "2.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "admin/plugin.php in Piwigo through 2.8.3 doesn\u0027t validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence."
},
{
"lang": "es",
"value": "admin/plugin.php en Piwigo hasta la versi\u00f3n 2.8.3 no valida el variable de secciones al usarlo para incluir archivos. Esto puede provocar la divulgaci\u00f3n de informaci\u00f3n y la ejecuci\u00f3n de c\u00f3digo si contiene una secuencia .. ."
}
],
"id": "CVE-2016-10105",
"lastModified": "2024-11-21T02:43:19.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-03T06:59:00.137",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/95202"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/8796e43aa344681d92a92e1f9b985409d4f36e31"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9004fdfc0b4a11cb32e9e15a5f67e4ec827e82dc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/574#issuecomment-267938358"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database."
},
{
"lang": "es",
"value": "La API List Users de Piwigo 2.9.2 es vulnerable a inyecci\u00f3n SQL mediante el par\u00e1metro sSortDir_0 en /admin/user_list_backend.php. Un atacante puede explotarlo para obtener acceso a la informaci\u00f3n en una base de datos MySQL conectada."
}
],
"id": "CVE-2017-17822",
"lastModified": "2024-11-21T03:18:45.133",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/823"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/823"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-03-13 20:55
Modified
2024-11-21 01:49
Severity ?
Summary
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C317128C-7749-4BE1-A7D3-88CAB5BE6F67",
"versionEndIncluding": "2.4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D245F2A4-676D-478F-8D0F-E183CF52E656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2E349A00-60C3-426A-B6AA-B940B60B28F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D724AA1-B057-409F-ABCA-064586771118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "38A03451-C199-44DD-A4ED-298B50193FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "752561BC-D824-4264-8697-DD9DE88F7D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "615E6F3A-162D-42F6-A537-442E9ED0B385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "36F26A2A-2175-4665-ACA5-A417A665B662",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D17AE0-823E-41EC-A282-10103975E792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E99613B2-BF99-4A44-9240-9720A17206A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B899A695-73BA-4459-86E4-E96E12FB4CA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7081BEAD-39F5-48EC-B13F-81073D7C4C2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EAC7628A-2083-41A2-8621-DACD3F769C53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D565B05-80D5-400A-ADBB-8DE393798D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7623DB-E676-41B3-A15D-6769BF7E230D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "03BBE4F6-35E8-4935-B657-651D3D822890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6A62DCAD-3C28-4595-9095-90DBA3944BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0064F204-3F3F-4E32-8104-A15ECC8464D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DBF799AE-6BDA-43E9-B841-DAD6A3CC34F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C19CE4F7-2033-44E7-BBD2-70D451692E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "146C7D99-8B0C-44A0-96E0-C8FBBB5F4567",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "FC5D9559-C2C7-405E-8874-47B227D3CF1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E0E85CC3-7B91-4ABE-A011-7167339F8EB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0BCC087E-7ACA-4DE6-B8BF-43BECCB3049C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "608D7317-53DE-4CAB-B396-3C7A6C6B418F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "07B2CA8C-4B5E-46AF-A9AF-1B35AD63FF46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "886DF3A9-A97E-4C89-8EBF-F6A5872F26BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7024F414-7E9A-4FD9-9B34-EB0A5D820E87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "068DE0CF-6D52-434D-A118-4D346014B07F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F816C962-4FC3-4763-96BB-15EB27B367D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD204EAB-344D-4569-BB17-3E7C2A5EA92A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CBCC5440-AD21-47F4-BE33-898302981AC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "96AC8E7D-5718-42F6-9829-59996D18EDFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A58D540A-4786-411D-AF4F-020120AA65A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7F55F438-AF9D-405C-A1E6-758DE74EFC65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "03F4C388-E6B2-40C5-8C3C-DDD80D619F27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "700425A6-CAF3-4ED5-8517-40FDB2450E49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EED818B6-30DE-46C6-B240-FC9B5E5C6A78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FF463F04-8ED6-42A8-9B23-ADD85EE6FE76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1B61AB-ECE7-4E89-9059-2066F08F67AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BB10D77F-38E8-4164-A651-399DFB6A4AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "21F1DB20-11A1-4145-8F7F-52CD3B07F0F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F41E5444-FDC0-47DF-8C4F-6AC69FFFED73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F79451CF-562C-4DC1-B03F-7FA354E6C36C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "DE24EE64-5390-4DFD-A5E4-42F5C2D5D609",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F8474722-3819-418E-9C7E-FADC5EEE3D58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C33A514B-739F-4A78-A868-19860A2F4BCA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en install.php en Piwigo anterior a v2.4.7 que permite a atacantes remotos leer y eliminar ficheros arbitrarios a trav\u00e9s de .. (punto punto) en el par\u00e1metro dl."
}
],
"id": "CVE-2013-1469",
"lastModified": "2024-11-21T01:49:39.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-03-13T20:55:02.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/view.php?id=0002843"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/view.php?id=0002843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/forum/viewtopic.php?id=21470"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/releases/2.4.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/24561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23144"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-06 16:29
Modified
2024-11-21 03:36
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/667 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/667 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1931608C-2835-4E94-AC78-CCBB6C9EC9E5",
"versionEndIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter."
},
{
"lang": "es",
"value": "La vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo admin.php en Piwigo versi\u00f3n 2.9.0 y anteriores, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro page."
}
],
"id": "CVE-2017-9452",
"lastModified": "2024-11-21T03:36:09.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-06T16:29:00.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/667"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-08-21 20:30
Modified
2024-11-21 01:06
Severity ?
Summary
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9931524C-ECD8-40DA-969D-94BF21DB7075",
"versionEndIncluding": "2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Piwigo en versiones anteriores a 2.0.3 permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro \"items_number\"."
}
],
"id": "CVE-2009-2933",
"lastModified": "2024-11-21T01:06:05.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-08-21T20:30:00.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36333"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/505801/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"URL Repurposed"
],
"url": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36333"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/505801/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"URL Repurposed"
],
"url": "http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager\u0026mode=unit request. An attacker can exploit this to hijack a client\u0027s browser along with the data stored in it."
},
{
"lang": "es",
"value": "El componente Batch Manager de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante los par\u00e1metros de array tags-* en una petici\u00f3n admin.php?page=batch_managermode=unit. Un atacante puede explotarlo para secuestrar el navegador de un cliente junto con los datos almacenados en \u00e9l."
}
],
"id": "CVE-2017-17825",
"lastModified": "2024-11-21T03:18:45.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.400",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-28 15:55
Modified
2024-11-21 02:10
Severity ?
Summary
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/forum/viewtopic.php?id=24009 | Vendor Advisory | |
| cve@mitre.org | http://piwigo.org/releases/2.6.3 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/forum/viewtopic.php?id=24009 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.6.3 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E25AF266-16C0-48AB-A69A-3DFDB3F26F0B",
"versionEndIncluding": "2.6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a \"security failure.\""
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un \u0027fallo de seguridad.\u0027"
}
],
"id": "CVE-2014-4648",
"lastModified": "2024-11-21T02:10:38.157",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-28T15:55:08.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24009"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.6.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=24009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.6.3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-15 16:15
Modified
2024-11-21 08:07
Severity ?
Summary
Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1924 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1924 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4B9AEE3-C9C5-4D20-BA38-9E5A2A64FABD",
"versionEndIncluding": "13.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.7.0 is vulnerable to SQL Injection via the \"Users\" function."
}
],
"id": "CVE-2023-34626",
"lastModified": "2024-11-21T08:07:27.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-15T16:15:09.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1924"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1924"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1011 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el archivo admin/user_perm.php en piwigo versi\u00f3n v2.9.5, por medio del par\u00e1metro cat_false en admin.php?page=group_perm"
}
],
"id": "CVE-2020-19216",
"lastModified": "2024-11-21T05:09:02.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T14:15:08.363",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1910 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1910 | Exploit, Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:13.6.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C0F29243-1953-4593-9D93-65BAF0D5D0EB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php."
}
],
"id": "CVE-2023-33361",
"lastModified": "2025-01-31T16:15:30.407",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-23T14:15:09.863",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1910"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1910"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-21 04:29
Modified
2024-11-21 03:18
Severity ?
Summary
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB83CB5C-D31C-42B7-B011-72AE25409448",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database."
},
{
"lang": "es",
"value": "El componente Batch Manager de Piwigo 2.9.2 es vulnerable a inyecci\u00f3n SQL mediante el par\u00e1metro element_ids en admin/batch_manager_unit.php en modo unit. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada."
}
],
"id": "CVE-2017-17824",
"lastModified": "2024-11-21T03:18:45.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-21T04:29:00.353",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/825"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/825"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-23 14:15
Modified
2025-01-31 18:15
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1908 | Exploit, Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1908 | Exploit, Issue Tracking |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:13.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B279DE47-F1F5-4BB9-A47B-1C9B73DD9076",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the \"add tags\" function."
}
],
"id": "CVE-2023-33359",
"lastModified": "2025-01-31T18:15:33.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-05-23T14:15:09.813",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1908"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1908"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:26
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C56A23-6191-4B62-82F3-35527976E603",
"versionEndIncluding": "2.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el backend administrativo en Piwigo anterior a 2.7.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s del par\u00e1metro page en admin.php."
}
],
"id": "CVE-2015-2034",
"lastModified": "2024-11-21T02:26:37.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-02-20T16:59:06.350",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/73"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72690"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-06 14:15
Modified
2024-11-21 05:09
Severity ?
Summary
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1009 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1009 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4803EBB7-FB18-4FB3-A3B1-A476BB2E20AF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el archivo admin/group_list.php en piwigo versi\u00f3n v2.9.5, por medio del par\u00e1metro group to delete"
}
],
"id": "CVE-2020-19212",
"lastModified": "2024-11-21T05:09:02.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-06T14:15:08.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1009"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-20 16:59
Modified
2024-11-21 02:25
Severity ?
Summary
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C56A23-6191-4B62-82F3-35527976E603",
"versionEndIncluding": "2.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a \"Refresh photo set\" action in the batch_manager page to admin.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Piwigo anterior a 2.7.4, cuando todos los filtros est\u00e1n activados, permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro filter_level en una acci\u00f3n \u0027Refresh photo set\u0027 en la p\u00e1gina batch_manager en admin.php."
}
],
"id": "CVE-2015-1517",
"lastModified": "2024-11-21T02:25:35.300",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-20T16:59:05.163",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/534723/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72664"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/forum/viewtopic.php?id=25179"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.7.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/534723/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72664"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-14 22:55
Modified
2024-11-21 01:38
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E9FA2940-9F57-469B-BFEE-5499A87C4394",
"versionEndIncluding": "2.3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en admin.php en Piwigo antes de v2.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) el par\u00e1metro \u0027section\u0027 en el m\u00f3dulo de configuraci\u00f3n, (2) el par\u00e1metro InstallStatus en el m\u00f3dulo languages_new, o (3) el par\u00e1metro \u0027theme\u0027 en el m\u00f3dulo \u0027theme\u0027.\r\n"
}
],
"id": "CVE-2012-2209",
"lastModified": "2024-11-21T01:38:42.513",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-14T22:55:01.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"source": "cve@mitre.org",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48903"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/bugs/view.php?id=2607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/forum/viewtopic.php?id=19173"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/releases/2.3.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/53245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75186"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23085"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-10 20:29
Modified
2024-11-21 02:44
Severity ?
Summary
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://piwigo.org/releases/2.8.3 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/548 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://piwigo.org/releases/2.8.3 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/548 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A4BE149-A8CA-4C7D-9A2F-0ACAEEFB375A",
"versionEndIncluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php."
},
{
"lang": "es",
"value": "Existe Cross-Site Scripting (XSS) en Piwigo en versiones anteriores a la 2.8.3 mediante una expresi\u00f3n de b\u00fasqueda manipulada en include/functions_search.inc.php."
}
],
"id": "CVE-2016-10513",
"lastModified": "2024-11-21T02:44:10.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-10T20:29:00.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://piwigo.org/releases/2.8.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/9a93d1f44b06605af84520509e7a0e8b64ab0c05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/548"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-12 13:15
Modified
2024-11-21 08:38
Severity ?
Summary
Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/AdminTools/issues/21 | Exploit, Issue Tracking, Vendor Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/2069 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/AdminTools/issues/21 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/2069 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:14.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DF997677-CC8C-40D2-BAA6-EF1374DC731F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross Site Scripting en piwigo v.14.0.0 permite a un atacante remoto obtener informaci\u00f3n confidencial a trav\u00e9s del par\u00e1metro lang en el componente del complemento Herramientas de Administrador."
}
],
"id": "CVE-2023-51790",
"lastModified": "2024-11-21T08:38:48.780",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-12T13:15:11.733",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/AdminTools/issues/21"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/2069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/AdminTools/issues/21"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/2069"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-21 17:15
Modified
2024-11-21 05:13
Severity ?
Summary
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/1157 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/1157 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E8B6457-1AF4-4B29-AF6E-9682E45BB2A9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en el archivo /admin.php?page=tags de Piwigo versi\u00f3n 2.10.1, permite a atacantes ejecutar scripts web o HTML arbitrarios"
}
],
"id": "CVE-2020-22148",
"lastModified": "2024-11-21T05:13:06.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-21T17:15:08.123",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1157"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/1157"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-24 16:29
Modified
2024-11-21 04:11
Severity ?
Summary
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/839 | Third Party Advisory | |
| cve@mitre.org | https://pastebin.com/tPebQFy4 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/839 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pastebin.com/tPebQFy4 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5EECFD6C-9D78-4947-98DC-6A068A48DEE6",
"versionEndExcluding": "2.9.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator."
},
{
"lang": "es",
"value": "Piwigo, en versiones anteriores a la 2.9.3, tiene inyecci\u00f3n SQL en admin/tags.php en el panel de administraci\u00f3n mediante el par\u00e1metro tags del array en una petici\u00f3n admin.php?page=tags. El atacante debe ser un administrador."
}
],
"id": "CVE-2018-6883",
"lastModified": "2024-11-21T04:11:21.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-24T16:29:00.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/839"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://pastebin.com/tPebQFy4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/839"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://pastebin.com/tPebQFy4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-14 19:29
Modified
2024-11-21 03:36
Severity ?
Summary
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/Piwigo/Piwigo/issues/705 | Issue Tracking, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Piwigo/Piwigo/issues/705 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1931608C-2835-4E94-AC78-CCBB6C9EC9E5",
"versionEndIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart \u0026 iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Piwigo esta afectada por una vulnerabilidad de inyecci\u00f3n SQL en la versi\u00f3n 2.9.0 y posiblemente anteriores. Esta vulnerabilidad permite a los atacantes identificados remotos obtener informaci\u00f3n en el contexto del usuario usado por la aplicaci\u00f3n para recuperar datos de la base de datos. El componente del archivo user_list_backend.php se ve afectado: los valores de los par\u00e1metros iDisplayStart y iDisplayLength no son saneados; estos se utilizan para construir una consulta SQL y recuperar una lista de usuarios registrados en la aplicaci\u00f3n."
}
],
"id": "CVE-2017-9463",
"lastModified": "2024-11-21T03:36:11.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-14T19:29:00.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/705"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/commit/42920897ce927c236728d387f61bf03d117109a2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Piwigo/Piwigo/issues/705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-003"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-05-04 16:00
Modified
2024-11-21 01:15
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| piwigo | piwigo | * | |
| piwigo | piwigo | 1.0.0 | |
| piwigo | piwigo | 1.0.1 | |
| piwigo | piwigo | 1.0.2 | |
| piwigo | piwigo | 1.1.0 | |
| piwigo | piwigo | 1.2.0 | |
| piwigo | piwigo | 1.2.1 | |
| piwigo | piwigo | 1.3.0 | |
| piwigo | piwigo | 1.3.1 | |
| piwigo | piwigo | 1.3.2 | |
| piwigo | piwigo | 1.3.3 | |
| piwigo | piwigo | 1.3.4 | |
| piwigo | piwigo | 1.4.0 | |
| piwigo | piwigo | 1.4.1 | |
| piwigo | piwigo | 1.5.0 | |
| piwigo | piwigo | 1.5.1 | |
| piwigo | piwigo | 1.5.2 | |
| piwigo | piwigo | 1.6.0 | |
| piwigo | piwigo | 1.6.1 | |
| piwigo | piwigo | 1.6.2 | |
| piwigo | piwigo | 1.7.0 | |
| piwigo | piwigo | 1.7.1 | |
| piwigo | piwigo | 1.7.2 | |
| piwigo | piwigo | 1.7.3 | |
| piwigo | piwigo | 2.0.0 | |
| piwigo | piwigo | 2.0.1 | |
| piwigo | piwigo | 2.0.2 | |
| piwigo | piwigo | 2.0.3 | |
| piwigo | piwigo | 2.0.4 | |
| piwigo | piwigo | 2.0.5 | |
| piwigo | piwigo | 2.0.6 | |
| piwigo | piwigo | 2.0.7 | |
| piwigo | piwigo | 2.0.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "828D4A04-FE5F-4A3F-931C-9AF139D59B26",
"versionEndIncluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "D245F2A4-676D-478F-8D0F-E183CF52E656",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FA08469C-BD2B-4EDA-86DB-35F65A1A35E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2E349A00-60C3-426A-B6AA-B940B60B28F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9D724AA1-B057-409F-ABCA-064586771118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3A4E8E3-1920-43CB-9D84-9EF84BB5F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "38A03451-C199-44DD-A4ED-298B50193FA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB4DCFBE-C8FC-4D80-9DE6-04BBC3494949",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "752561BC-D824-4264-8697-DD9DE88F7D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "615E6F3A-162D-42F6-A537-442E9ED0B385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "36F26A2A-2175-4665-ACA5-A417A665B662",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A2D17AE0-823E-41EC-A282-10103975E792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E99613B2-BF99-4A44-9240-9720A17206A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ADBE8CF0-1CBE-478D-9E1E-54363F3B7C09",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B899A695-73BA-4459-86E4-E96E12FB4CA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7081BEAD-39F5-48EC-B13F-81073D7C4C2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EAC7628A-2083-41A2-8621-DACD3F769C53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D565B05-80D5-400A-ADBB-8DE393798D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7F7623DB-E676-41B3-A15D-6769BF7E230D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC7011F-D136-4402-93D8-3C6E8A7ED8BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15D63E08-D7E4-4960-B4A3-9BEBA6150CA7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "03BBE4F6-35E8-4935-B657-651D3D822890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6A62DCAD-3C28-4595-9095-90DBA3944BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:1.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0064F204-3F3F-4E32-8104-A15ECC8464D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "37DF27D2-E4CB-4A49-8D42-F41ED29136C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB57804-F8DA-4366-9B75-E5241D137352",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C51558C-4DF9-4D62-A679-64361E584802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E7C6E6DE-B5AC-48FA-A6EE-CF1C596D34BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "452E5E75-FD84-436E-A51B-793346A1456C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C19CE4F7-2033-44E7-BBD2-70D451692E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "53297CBE-F8E4-4BFF-BC49-51E7F26E11B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DA9B8AE0-F86A-4362-BF9E-A04C8BF801B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E621568-52A8-4DCB-B0E4-0C40E0DB06F6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en register.php en Piwigo v2.0.9 y anteriores, permiten a atacantes remotos inyectar c\u00f3digo web o HTML de su elecci\u00f3n a trav\u00e9s de los par\u00e1metros (1) login y (2) mail_address."
}
],
"id": "CVE-2010-1707",
"lastModified": "2024-11-21T01:15:01.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-05-04T16:00:35.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1034"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://piwigo.org/code/wsvn/Piwigo?op=revision\u0026rev=5936"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/1034"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-17 18:55
Modified
2024-11-21 02:09
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C894787-1ED6-405E-957E-25FEB65F0955",
"versionEndIncluding": "2.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8F6745-8E09-4D58-B097-E1C62305B46B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6CBD76E1-0362-4CFE-A306-CE5F13ADA54B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:piwigo:piwigo:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B95C9758-4EE5-4690-8EDF-575907C3A15A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del campo associate[], una vulnerabilidad diferente a CVE-2014-4649."
}
],
"id": "CVE-2014-3900",
"lastModified": "2024-11-21T02:09:05.297",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-08-17T18:55:01.747",
"references": [
{
"source": "vultures@jpcert.or.jp",
"url": "http://jvn.jp/en/jp/JVN09717399/index.html"
},
{
"source": "vultures@jpcert.or.jp",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093"
},
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"source": "vultures@jpcert.or.jp",
"url": "http://piwigo.org/dev/changeset/28678"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvn.jp/en/jp/JVN09717399/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://piwigo.org/bugs/view.php?id=3089"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://piwigo.org/dev/changeset/28678"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-14 20:15
Modified
2024-11-21 07:06
Severity ?
Summary
Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:piwigo:piwigo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21D29051-50D8-4327-9D21-9459F6949EEA",
"versionEndIncluding": "12.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function."
},
{
"lang": "es",
"value": "Se ha detectado que Piwigo versi\u00f3n v12.2.0, contiene una vulnerabilidad de inyecci\u00f3n SQL por medio de la funci\u00f3n Search"
}
],
"id": "CVE-2022-32297",
"lastModified": "2024-11-21T07:06:07.900",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-14T20:15:08.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
jvndb-2014-000094
Vulnerability from jvndb
Published
2014-08-08 13:57
Modified
2014-08-08 13:57
Summary
Piwigo vulnerable to SQL injection
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability.
Yuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000094.html",
"dc:date": "2014-08-08T13:57+09:00",
"dcterms:issued": "2014-08-08T13:57+09:00",
"dcterms:modified": "2014-08-08T13:57+09:00",
"description": "Piwigo is a software to manage and host image files on the web. Piwigo contains a SQL injection vulnerability.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000094.html",
"sec:cpe": {
"#text": "cpe:/a:piwigo:piwigo",
"@product": "Piwigo",
"@vendor": "Piwigo",
"@version": "2.2"
},
"sec:cvss": {
"@score": "6.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000094",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN87962145/index.html",
"@id": "JVN#87962145",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4649",
"@id": "CVE-2014-4649",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2014-4649",
"@id": "CVE-2014-4649",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "Piwigo vulnerable to SQL injection"
}
jvndb-2014-000093
Vulnerability from jvndb
Published
2014-08-08 13:52
Modified
2014-08-19 16:48
Summary
Piwigo vulnerable to cross-site scripting
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability.
Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN09717399/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3900 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3900 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000093.html",
"dc:date": "2014-08-19T16:48+09:00",
"dcterms:issued": "2014-08-08T13:52+09:00",
"dcterms:modified": "2014-08-19T16:48+09:00",
"description": "Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000093.html",
"sec:cpe": {
"#text": "cpe:/a:piwigo:piwigo",
"@product": "Piwigo",
"@vendor": "Piwigo",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000093",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN09717399/",
"@id": "JVN#09717399",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3900",
"@id": "CVE-2014-3900",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3900",
"@id": "CVE-2014-3900",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Piwigo vulnerable to cross-site scripting"
}
jvndb-2014-000092
Vulnerability from jvndb
Published
2014-08-08 13:49
Modified
2014-08-15 13:35
Summary
Piwigo vulnerable to cross-site scripting
Details
Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability when the "Community" plugin is activated and validation on user uploaded photos is disabled.
Yuji Tounai of bogus.jp reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN80310172/ | |
| CVE | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1980 | |
| NVD | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1980 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000092.html",
"dc:date": "2014-08-15T13:35+09:00",
"dcterms:issued": "2014-08-08T13:49+09:00",
"dcterms:modified": "2014-08-15T13:35+09:00",
"description": "Piwigo is a software to manage and host image files on the web. Piwigo contains a cross-site scripting vulnerability when the \"Community\" plugin is activated and validation on user uploaded photos is disabled.\r\n\r\nYuji Tounai of bogus.jp reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000092.html",
"sec:cpe": {
"#text": "cpe:/a:piwigo:piwigo",
"@product": "Piwigo",
"@vendor": "Piwigo",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2014-000092",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN80310172/",
"@id": "JVN#80310172",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1980",
"@id": "CVE-2014-1980",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1980",
"@id": "CVE-2014-1980",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "Piwigo vulnerable to cross-site scripting"
}