CVSS: 6.8EPSS: 0%CPEs: 65EXPL: 0CVE-2014-4614
https://notcve.org/view.php?id=CVE-2014-4614
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method. Múltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que utilizan el método (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove. • http://piwigo.org/bugs/view.php?id=0003055 http://piwigo.org/releases/2.6.2 http://seclists.org/oss-sec/2014/q2/623 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2014-4648
https://notcve.org/view.php?id=CVE-2014-4648
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure." Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un 'fallo de seguridad.' • http://piwigo.org/forum/viewtopic.php?id=24009 http://piwigo.org/releases/2.6.3 •
CVSS: 4.0EPSS: 48%CPEs: 61EXPL: 7CVE-2013-1469 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1469
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter. Vulnerabilidad de salto de directorio en install.php en Piwigo anterior a v2.4.7 que permite a atacantes remotos leer y eliminar ficheros arbitrarios a través de .. (punto punto) en el parámetro dl. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 https://www.exploit-db.com/exploits/24520 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002843 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://www.exploit-db.com/exploits/24561 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.6EPSS: 31%CPEs: 61EXPL: 4CVE-2013-1468 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1468
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean ficheros arbitrarios PHP a través de vectores sin especificar. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002844 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://secunia.com/advisories/52228 http://www.exploit-db.com/exploits/24561 http://www.osvdb.org/90504 https://www.htbridge.com/advisory/HTB • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 5CVE-2012-2209 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2209
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en admin.php en Piwigo antes de v2.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro 'section' en el módulo de configuración, (2) el parámetro InstallStatus en el módulo languages_new, o (3) el parámetro 'theme' en el módulo 'theme'. Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75186 https://www.htbridge.com/advisory/HTB23085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •