CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19212
https://notcve.org/view.php?id=CVE-2020-19212
SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete. Una vulnerabilidad de inyección SQL en el archivo admin/group_list.php en piwigo versión v2.9.5, por medio del parámetro group to delete • https://github.com/Piwigo/Piwigo/issues/1009 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 3CVE-2021-27973 – Piwigo 11.3.0 - 'language' SQL
https://notcve.org/view.php?id=CVE-2021-27973
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages. Una inyección SQL se presenta en Piwigo versiones anteriores a 11.4.0, por medio del parámetro language en admin.php?page=languages. Piwigo version 11.3.0 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/49818 http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html https://github.com/Piwigo/Piwigo/issues/1352 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 4%CPEs: 1EXPL: 2CVE-2019-13364 – Piwigo 2.9.5 Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-13364
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. admin.php?page=account_billing en Piwigo versión 2.9.5, presenta una vulnerabilidad de tipo XSS por medio del parámetro vat_number, billing_name, company, o billing_address. Esto es explotable por medio de un ataque de tipo CSRF. • http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Sep/25 http://seclists.org/fulldisclosure/2020/Jun/29 https://github.com/Piwigo/Piwigo/issues https://piwigo.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 4%CPEs: 1EXPL: 2CVE-2019-13363 – Piwigo 2.9.5 Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-13363
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF. admin.php?page=notify_by_mail en Piwigo versión 2.9.5 presenta una vulnerabilidad de tipo XSS por medio del parámetro nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, o param_submit. Esto es explotable por medio de un ataque de tipo CSRF. • http://packetstormsecurity.com/files/154484/Piwigo-2.9.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Sep/25 http://seclists.org/fulldisclosure/2020/Jun/29 https://github.com/Piwigo/Piwigo/issues https://piwigo.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •