CVE-2021-27973 – Piwigo 11.3.0 - 'language' SQL
https://notcve.org/view.php?id=CVE-2021-27973
SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages. Una inyección SQL se presenta en Piwigo versiones anteriores a 11.4.0, por medio del parámetro language en admin.php?page=languages. Piwigo version 11.3.0 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/49818 http://packetstormsecurity.com/files/162404/Piwigo-11.3.0-SQL-Injection.html https://github.com/Piwigo/Piwigo/issues/1352 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-9468
https://notcve.org/view.php?id=CVE-2020-9468
The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. El plugin Community versión 2.9.e-beta para Piwigo, permite a usuarios establecer información de imagen sobre imágenes en álbumes para los que no tienen permiso, al manipular el parámetro image_id. • https://github.com/plegall/Piwigo-community/issues/49 https://piwigo.org/ext/extension_view.php?eid=303 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2020-9467 – Piwigo 2.10.1 - Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-9467
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. Piwigo versión 2.10.1, presenta una vulnerabilidad de tipo XSS almacenado, por medio del parámetro file en una petición del archivo /ws.php debido a la función pwg.images.setInfo. Piwigo version 2.10.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/48814 http://packetstormsecurity.com/files/159191/Piwigo-2.10.1-Cross-Site-Scripting.html https://github.com/Piwigo/Piwigo/issues/1168 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-8089
https://notcve.org/view.php?id=CVE-2020-8089
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page. Piwigo versión 2.10.1, está afectado por una vulnerabilidad de tipo XSS almacenado por medio del Group Name Field en la página group_list. • https://github.com/Piwigo/Piwigo/issues/1150 https://piwigo.org/forum/viewforum.php?id=23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-4526
https://notcve.org/view.php?id=CVE-2012-4526
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) piwigo presenta una vulnerabilidad de tipo XSS en el archivo password.php (una solución incompleta para CVE-2012-4525). • http://www.openwall.com/lists/oss-security/2012/10/18/4 http://www.openwall.com/lists/oss-security/2013/02/11/1 http://www.securityfocus.com/bid/55710 https://access.redhat.com/security/cve/cve-2012-4526 https://security-tracker.debian.org/tracker/CVE-2012-4526 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •