CVE-2014-9115 – Piwigo 2.6.0 - 'picture.php?rate' SQL Injection
https://notcve.org/view.php?id=CVE-2014-9115
SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit. Vulnerabilidad de inyección SQL en la función rate_picture en include/functions_rate.inc.php en Piwigo anterior a 2.5.5, 2.6.x anterior a 2.6.4, and 2.7.x anterior a 2.7.2 permite a atacantes remotos ejecutar sentencias SQL a través del parámetro de valoración a picture.php, debido a una comparación de un valor no numérico que empiece con un dígito. • https://www.exploit-db.com/exploits/35221 http://piwigo.org/dev/changeset/30563/trunk/include/functions_rate.inc.php http://piwigo.org/forum/viewtopic.php?id=24850 http://piwigo.org/releases/2.7.2 http://seclists.org/fulldisclosure/2014/Nov/23 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-3900
https://notcve.org/view.php?id=CVE-2014-3900
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649. Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo associate[], una vulnerabilidad diferente a CVE-2014-4649. • http://jvn.jp/en/jp/JVN09717399/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 http://piwigo.org/bugs/view.php?id=3089 http://piwigo.org/dev/changeset/28678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4614
https://notcve.org/view.php?id=CVE-2014-4614
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method. Múltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que utilizan el método (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove. • http://piwigo.org/bugs/view.php?id=0003055 http://piwigo.org/releases/2.6.2 http://seclists.org/oss-sec/2014/q2/623 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-4648
https://notcve.org/view.php?id=CVE-2014-4648
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure." Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un 'fallo de seguridad.' • http://piwigo.org/forum/viewtopic.php?id=24009 http://piwigo.org/releases/2.6.3 •
CVE-2013-1469 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1469
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter. Vulnerabilidad de salto de directorio en install.php en Piwigo anterior a v2.4.7 que permite a atacantes remotos leer y eliminar ficheros arbitrarios a través de .. (punto punto) en el parámetro dl. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 https://www.exploit-db.com/exploits/24520 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002843 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://www.exploit-db.com/exploits/24561 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •