CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-2035
https://notcve.org/view.php?id=CVE-2015-2035
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php. Vulnerabilidad de inyección SQL en el backend administrativo en Piwigo en versiones anteriores a 2.7.4 permite a administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro user en la página del historial a admin.php. • http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html http://piwigo.org/forum/viewtopic.php?id=25179 http://piwigo.org/releases/2.7.4 http://seclists.org/fulldisclosure/2015/Feb/73 http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html http://www.securityfocus.com/bid/72689 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4CVE-2015-2034
https://notcve.org/view.php?id=CVE-2015-2034
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php. Vulnerabilidad de XSS en el backend administrativo en Piwigo anterior a 2.7.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro page en admin.php. • http://packetstormsecurity.com/files/130432/CMS-Piwigo-2.7.3-Cross-Site-Scripting-SQL-Injection.html http://piwigo.org/forum/viewtopic.php?id=25179 http://piwigo.org/releases/2.7.4 http://seclists.org/fulldisclosure/2015/Feb/73 http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html http://sroesemann.blogspot.de/2015/02/report-for-advisory-sroeadv-2015-06.html http://www.securityfocus.com/bid/72690 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1517 – Piwigo 2.7.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-1517
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php. Vulnerabilidad de inyección SQL en Piwigo anterior a 2.7.4, cuando todos los filtros están activados, permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_level en una acción 'Refresh photo set' en la página batch_manager en admin.php. Piwigo version 2.7.3 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/36125 http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html http://piwigo.org/forum/viewtopic.php?id=25179 http://piwigo.org/releases/2.7.4 http://www.securityfocus.com/archive/1/534723/100/0/threaded http://www.securityfocus.com/bid/72664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2015-1441
https://notcve.org/view.php?id=CVE-2015-1441
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de SQL en Piwigo anterior a 2.5.6, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://piwigo.org/forum/viewtopic.php?id=25016 http://piwigo.org/releases/2.5.6 http://piwigo.org/releases/2.6.5 http://piwigo.org/releases/2.7.3 http://secunia.com/advisories/62606 http://www.securityfocus.com/bid/72400 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 2CVE-2014-9115 – Piwigo 2.6.0 - 'picture.php?rate' SQL Injection
https://notcve.org/view.php?id=CVE-2014-9115
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit. Vulnerabilidad de inyección SQL en la función rate_picture en include/functions_rate.inc.php en Piwigo anterior a 2.5.5, 2.6.x anterior a 2.6.4, and 2.7.x anterior a 2.7.2 permite a atacantes remotos ejecutar sentencias SQL a través del parámetro de valoración a picture.php, debido a una comparación de un valor no numérico que empiece con un dígito. • https://www.exploit-db.com/exploits/35221 http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php http://piwigo.org/forum/viewtopic.php?id=24850 http://piwigo.org/releases/2.7.2 http://seclists.org/fulldisclosure/2014/Nov/23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •