CVE-2013-1469 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1469
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter. Vulnerabilidad de salto de directorio en install.php en Piwigo anterior a v2.4.7 que permite a atacantes remotos leer y eliminar ficheros arbitrarios a través de .. (punto punto) en el parámetro dl. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 https://www.exploit-db.com/exploits/24520 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002843 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://www.exploit-db.com/exploits/24561 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2013-1468 – Piwigo 2.4.6 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1468
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el complemento LocalFiles Editor de Piwigo anterior a v2.4.7 que permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que crean ficheros arbitrarios PHP a través de vectores sin especificar. Piwigo version 2.4.5 suffers from cross site request forgery and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/24561 http://archives.neohapsis.com/archives/bugtraq/2013-02/0153.html http://packetstormsecurity.com/files/120592/Piwigo-2.4.6-Cross-Site-Request-Forgery-Traversal.html http://piwigo.org/bugs/view.php?id=0002844 http://piwigo.org/forum/viewtopic.php?id=21470 http://piwigo.org/releases/2.4.7 http://secunia.com/advisories/52228 http://www.exploit-db.com/exploits/24561 http://www.osvdb.org/90504 https://www.htbridge.com/advisory/HTB • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-2209 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2209
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en admin.php en Piwigo antes de v2.3.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) el parámetro 'section' en el módulo de configuración, (2) el parámetro InstallStatus en el módulo languages_new, o (3) el parámetro 'theme' en el módulo 'theme'. Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75186 https://www.htbridge.com/advisory/HTB23085 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2208 – piwigo 2.3.3 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2208
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. Vulnerabilidad de recorrido de directorio en upgrade.php en Piwigo antes de v2.3.4 permite a atacantes remotos incluir y ejecutar archivos locales a través de un .. (punto punto) en el parámetro labguage (idioma). Piwigo version 2.3.3 suffers from cross site scripting and directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/18782 http://archives.neohapsis.com/archives/bugtraq/2012-04/0196.html http://piwigo.org/bugs/view.php?id=2607 http://piwigo.org/forum/viewtopic.php?id=19173 http://piwigo.org/releases/2.3.4 http://secunia.com/advisories/48903 http://www.exploit-db.com/exploits/18782 http://www.securityfocus.com/bid/53245 https://exchange.xforce.ibmcloud.com/vulnerabilities/75185 https://www.htbridge.com/advisory/HTB23085 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2010-1707
https://notcve.org/view.php?id=CVE-2010-1707
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en register.php en Piwigo v2.0.9 y anteriores, permiten a atacantes remotos inyectar código web o HTML de su elección a través de los parámetros (1) login y (2) mail_address. • http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 http://www.vupen.com/english/advisories/2010/1034 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •