Filtered by vendor Piwigo
Subscribe
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-7724 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-7723 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-7722 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible. | |||||
| CVE-2018-6883 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator. | |||||
| CVE-2018-5692 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. | |||||
| CVE-2016-3735 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset. | |||||
| CVE-2014-8945 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields. | |||||
| CVE-2014-8944 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter. | |||||
| CVE-2014-8943 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter. | |||||
| CVE-2014-8942 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Lexiglot through 2014-11-20 allows CSRF. | |||||
| CVE-2014-8941 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI. | |||||
| CVE-2014-8940 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI. | |||||
| CVE-2014-8939 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages. | |||||
| CVE-2014-8938 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line. | |||||
| CVE-2014-8937 | 1 Piwigo | 1 Lexiglot | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources. | |||||
| CVE-2014-4613 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php. | |||||
| CVE-2014-125053 | 1 Piwigo | 1 Guestbook | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability was found in Piwigo-Guest-Book up to 1.3.0. It has been declared as critical. This vulnerability affects unknown code of the file include/guestbook.inc.php of the component Navigation Bar. The manipulation of the argument start leads to sql injection. Upgrading to version 1.3.1 is able to address this issue. The patch is identified as 0cdd1c388edf15089c3a7541cefe7756e560581d. It is recommended to upgrade the affected component. VDB-217582 is the identifier assigned to this vulnerability. | |||||
| CVE-2012-4526 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) | |||||
| CVE-2012-4525 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| piwigo has XSS in password.php | |||||