CVSS: 7.6EPSS: 31%CPEs: 61EXPL: 4CVE-2013-1468 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1468
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean ficheros arbitrarios PHP a través de vectores sin especificar. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002844 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://secunia.com/advisories/52228 http://www.exploit-db.com/exploits/24561 http://www.osvdb.org/90504 https://www.htbridge.com/advisory/HTB • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 5CVE-2012-2209 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2209
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en admin.php en Piwigo antes de v2.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro 'section' en el módulo de configuración, (2) el parámetro InstallStatus en el módulo languages_new, o (3) el parámetro 'theme' en el módulo 'theme'. Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75186 https://www.htbridge.com/advisory/HTB23085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 4CVE-2012-2208 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2208
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. Vulnerabilidad de recorrido de directorio en upgrade.php en Piwigo antes de v2.3.4 permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en el parámetro labguage (idioma). Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75185 https://www.htbridge.com/advisory/HTB23085 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2011-3790
https://notcve.org/view.php?id=CVE-2011-3790
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files. Piwigo v2.1.5 permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con tools/metadata.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/piwigo-2.1.5 http://www.openwall.com/lists/oss-security/2011/06/27/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2010-1707
https://notcve.org/view.php?id=CVE-2010-1707
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en register.php en Piwigo v2.0.9 y anteriores, permiten a atacantes remotos inyectar código web o HTML de su elección a través de los parámetros (1) login y (2) mail_address. • http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 http://www.vupen.com/english/advisories/2010/1034 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •