CVE-2014-3900
https://notcve.org/view.php?id=CVE-2014-3900
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649. Vulnerabilidad de XSS en admin/picture_modify.php en el subsistema photo-edit en Piwigo 2.6.3 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo associate[], una vulnerabilidad diferente a CVE-2014-4649. • http://jvn.jp/en/jp/JVN09717399/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000093 http://piwigo.org/bugs/view.php?id=3089 http://piwigo.org/dev/changeset/28678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-1980
https://notcve.org/view.php?id=CVE-2014-1980
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin. Vulnerabilidad de XSS en include/functions_metadata.inc.php en Piwigo anterior a 2.4.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo Make en los metadatos IPTC Exif dentro de un imagen subido al plugin Community. • http://jvn.jp/en/jp/JVN80310172/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2014-000092 http://piwigo.org/bugs/view.php?id=2805 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-4614
https://notcve.org/view.php?id=CVE-2014-4614
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method. Múltiples vulnerabilidades de CSRF en Piwigo anterior a 2.6.2 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que utilizan el método (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add o (6) pwg.permissions.remove. • http://piwigo.org/bugs/view.php?id=0003055 http://piwigo.org/releases/2.6.2 http://seclists.org/oss-sec/2014/q2/623 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-4648
https://notcve.org/view.php?id=CVE-2014-4648
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure." Vulnerabilidad no especificada en Piwigo anterior a 2.6.3 tiene impacto y vectores de ataque desconocidos, relacionado con un 'fallo de seguridad.' • http://piwigo.org/forum/viewtopic.php?id=24009 http://piwigo.org/releases/2.6.3 •
CVE-2014-4649
https://notcve.org/view.php?id=CVE-2014-4649
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field. Vulnerabilidad de inyección SQL en el subsistema photo-edit en Piwigo 2.6.x y 2.7.x anterior a 2.7.0beta2 permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del campo associate[]. • http://piwigo.org/bugs/changelog_page.php http://piwigo.org/bugs/view.php?id=3089 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •