CVE-2015-1517 – Piwigo 2.7.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-1517
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php. Vulnerabilidad de inyección SQL en Piwigo anterior a 2.7.4, cuando todos los filtros están activados, permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro filter_level en una acción 'Refresh photo set' en la página batch_manager en admin.php. Piwigo version 2.7.3 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/36125 http://packetstormsecurity.com/files/130440/Piwigo-2.7.3-SQL-Injection.html http://piwigo.org/forum/viewtopic.php?id=25179 http://piwigo.org/releases/2.7.4 http://www.securityfocus.com/archive/1/534723/100/0/threaded http://www.securityfocus.com/bid/72664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-1441
https://notcve.org/view.php?id=CVE-2015-1441
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de SQL en Piwigo anterior a 2.5.6, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.3 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://piwigo.org/forum/viewtopic.php?id=25016 http://piwigo.org/releases/2.5.6 http://piwigo.org/releases/2.6.5 http://piwigo.org/releases/2.7.3 http://secunia.com/advisories/62606 http://www.securityfocus.com/bid/72400 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-9115 – Piwigo 2.6.0 - 'picture.php?rate' SQL Injection
https://notcve.org/view.php?id=CVE-2014-9115
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit. Vulnerabilidad de inyección SQL en la función rate_picture en include/functions_rate.inc.php en Piwigo anterior a 2.5.5, 2.6.x anterior a 2.6.4, and 2.7.x anterior a 2.7.2 permite a atacantes remotos ejecutar sentencias SQL a través del parámetro de valoración a picture.php, debido a una comparación de un valor no numérico que empiece con un dígito. • https://www.exploit-db.com/exploits/35221 http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php http://piwigo.org/forum/viewtopic.php?id=24850 http://piwigo.org/releases/2.7.2 http://seclists.org/fulldisclosure/2014/Nov/23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-3900
https://notcve.org/view.php?id=CVE-2014-3900
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649. Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo associate[], una vulnerabilidad diferente a CVE-2014-4649. • http://jvn.jp/en/jp/JVN09717399/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 http://piwigo.org/bugs/view.php?id=3089 http://piwigo.org/dev/changeset/28678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1980
https://notcve.org/view.php?id=CVE-2014-1980
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin. Vulnerabilidad de XSS en include/functions_metadata.inc.php en Piwigo anterior a 2.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo Make en los metadatos IPTC Exif dentro de un imagen subido al plugin Community. • http://jvn.jp/en/jp/JVN80310172/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092 http://piwigo.org/bugs/view.php?id=2805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •