RSS   Vulnerabilities for 'Piwigo'   RSS

2018-03-16
 
CVE-2014-4613

CWE-352
 

 
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.

 
2018-03-06
 
CVE-2018-7724

CWE-79
 

 
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.

 
 
CVE-2018-7723

CWE-79
 

 
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.

 
 
CVE-2018-7722

CWE-79
 

 
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.

 
2018-02-24
 
CVE-2018-6883

CWE-89
 

 
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.

 
2018-01-13
 
CVE-2018-5692

CWE-79
 

 
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.

 
2017-12-20
 
CVE-2017-17827

CWE-352
 

 
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

 
 
CVE-2017-17826

CWE-79
 

 
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

 
 
CVE-2017-17825

CWE-79
 

 
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

 
 
CVE-2017-17824

CWE-89
 

 
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.

 


Copyright 2018, cxsecurity.com

 

Back to Top