Page 3 of 17 results (0.011 seconds)

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. La API List Users de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro sSortDir_0 en /admin/user_list_backend.php. Un atacante puede explotarlo para obtener acceso a la información en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40 https://github.com/Piwigo/Piwigo/issues/823 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. El componente Configuration de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante el parámetro gallery_title en una petición admin.php?page=configurationsection=main. • https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database. El componente Batch Manager de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro element_ids en admin/batch_manager_unit.php en modo unit. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c https://github.com/Piwigo/Piwigo/issues/825 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions. Piwigo 2.9.2 es vulnerable a Cross-Site Request Forgery (CSRF) mediante /admin.php? • https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f https://github.com/Piwigo/Piwigo/issues/822 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Cross%20Site%20Request%20Forgery%20in%20Piwigo%202.9.2.md • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request. Piwigo tiene una vulnerabilidad de Cross-Site Scripting (XSS) mediante el parámetro name en una petición admin.php?page=album-3-properties. • https://github.com/d4wner/Vulnerabilities-Report/blob/master/piwigo.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •