Page 9 of 84 results (0.016 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. El componente Batch Manager de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante los parámetros de array tags-* en una petición admin.php?page=batch_managermode=unit. • https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. El componente Configuration de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro de array order_by en admin/configuration.php. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983 https://github.com/Piwigo/Piwigo/issues/826 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. La API List Users de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro sSortDir_0 en /admin/user_list_backend.php. Un atacante puede explotarlo para obtener acceso a la información en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/33a03e9afb8fb00c9d8f480424d549311fe03d40 https://github.com/Piwigo/Piwigo/issues/823 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it. El componente Configuration de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante el parámetro gallery_title en una petición admin.php?page=configurationsection=main. • https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database. El componente Batch Manager de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro element_ids en admin/batch_manager_unit.php en modo unit. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/f7c8e0a947a857ff5d31dafd03842df41959b84c https://github.com/Piwigo/Piwigo/issues/825 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •