CVE-2012-4525
https://notcve.org/view.php?id=CVE-2012-4525
piwigo has XSS in password.php piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php. • http://www.openwall.com/lists/oss-security/2012/10/18/4 http://www.openwall.com/lists/oss-security/2013/02/11/1 http://www.securityfocus.com/bid/55710 https://access.redhat.com/security/cve/cve-2012-4525 https://security-tracker.debian.org/tracker/CVE-2012-4525 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4613 – Piwigo 2.6.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-4613
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el el panel de administración en versiones anteriores a la 2.6.2 en Piwigo permite que atacantes remotos secuestren la autenticación de administradores para peticiones que añadan usuarios mediante una acción pwg.users.add en una petición en ws.php. • https://www.exploit-db.com/exploits/31916 http://osvdb.org/show/osvdb/103774 http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html http://piwigo.org/bugs/view.php?id=0003055 http://piwigo.org/releases/2.6.2 http://seclists.org/oss-sec/2014/q2/610 http://seclists.org/oss-sec/2014/q2/623 http://www.exploit-db.com/exploits/31916 http://www.securityfocus.com/bid/65811 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-6883
https://notcve.org/view.php?id=CVE-2018-6883
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator. Piwigo, en versiones anteriores a la 2.9.3, tiene inyección SQL en admin/tags.php en el panel de administración mediante el parámetro tags del array en una petición admin.php?page=tags. • https://github.com/Piwigo/Piwigo/issues/839 https://pastebin.com/tPebQFy4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-5692
https://notcve.org/view.php?id=CVE-2018-5692
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. Piwigo v2.8.2 tiene XSS mediante los parámetros "tab", "to", "section", "mode", "installstatus" y "display" del archivo "admin.php". • https://www.vulnerability-lab.com/get_content.php?id=2005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-17825
https://notcve.org/view.php?id=CVE-2017-17825
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. El componente Batch Manager de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante los parámetros de array tags-* en una petición admin.php?page=batch_managermode=unit. • https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •