CVE-2014-3900
https://notcve.org/view.php?id=CVE-2014-3900
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649. Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo associate[], una vulnerabilidad diferente a CVE-2014-4649. • http://jvn.jp/en/jp/JVN09717399/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 http://piwigo.org/bugs/view.php?id=3089 http://piwigo.org/dev/changeset/28678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4649
https://notcve.org/view.php?id=CVE-2014-4649
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field. Vulnerabilidad de inyección SQL en el subsistema photo-edit en Piwigo 2.6.x y 2.7.x anterior a 2.7.0beta2 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del campo associate[]. • http://piwigo.org/bugs/changelog_page.php http://piwigo.org/bugs/view.php?id=3089 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •