CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 4CVE-2012-2208 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2208
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. Vulnerabilidad de recorrido de directorio en upgrade.php en Piwigo antes de v2.3.4 permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en el parámetro labguage (idioma). Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75185 https://www.htbridge.com/advisory/HTB23085 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3790
https://notcve.org/view.php?id=CVE-2011-3790
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files. Piwigo v2.1.5 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con tools/metadata.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2010-1707
https://notcve.org/view.php?id=CVE-2010-1707
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en register.php en Piwigo v2.0.9 y anteriores, permiten a atacantes remotos inyectar código web o HTML de su elección a través de los parámetros (1) login y (2) mail_address. • http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 http://www.vupen.com/english/advisories/2010/1034 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2009-4039 – Piwigo 2.0 - 'comments.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-4039
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados(XSS) en Piwigo antes de v2.0.6 permite a atacantes remotos inyectar HTML o scripts web a través de vectores no especificados. • https://www.exploit-db.com/exploits/34367 http://piwigo.org/releases/2.0.6 http://secunia.com/advisories/37336 http://www.vupen.com/english/advisories/2009/3221 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2009-2933
https://notcve.org/view.php?id=CVE-2009-2933
SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter. Vulnerabilidad de inyección SQL en Piwigo en versiones anteriores a 2.0.3 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "items_number". • http://secunia.com/advisories/36333 http://www.securityfocus.com/archive/1/505801/100/0/threaded http://www.senseofsecurity.com.au/advisories/SOS-09-007.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •