CVE-2014-1980
https://notcve.org/view.php?id=CVE-2014-1980
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin. Vulnerabilidad de XSS en include/functions_metadata.inc.php en Piwigo anterior a 2.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo Make en los metadatos IPTC Exif dentro de un imagen subido al plugin Community. • http://jvn.jp/en/jp/JVN80310172/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092 http://piwigo.org/bugs/view.php?id=2805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4614
https://notcve.org/view.php?id=CVE-2014-4614
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method. Múltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que utilizan el método (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove. • http://piwigo.org/bugs/view.php?id=0003055 http://piwigo.org/releases/2.6.2 http://seclists.org/oss-sec/2014/q2/623 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-4649
https://notcve.org/view.php?id=CVE-2014-4649
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field. Vulnerabilidad de inyección SQL en el subsistema photo-edit en Piwigo 2.6.x y 2.7.x anterior a 2.7.0beta2 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del campo associate[]. • http://piwigo.org/bugs/changelog_page.php http://piwigo.org/bugs/view.php?id=3089 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-4648
https://notcve.org/view.php?id=CVE-2014-4648
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure." Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un 'fallo de seguridad.' • http://piwigo.org/forum/viewtopic.php?id=24009 http://piwigo.org/releases/2.6.3 •
CVE-2013-1468 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1468
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean ficheros arbitrarios PHP a través de vectores sin especificar. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002844 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://secunia.com/advisories/52228 http://www.exploit-db.com/exploits/24561 http://www.osvdb.org/90504 https://www.htbridge.com/advisory/HTB • CWE-352: Cross-Site Request Forgery (CSRF) •