CVE-2018-7723
https://notcve.org/view.php?id=CVE-2018-7723
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible. El panel de gestión en Piwigo 2.9.3 tiene Cross-Site Scripting (XSS) persistente mediante el parámetro virtual_name en una petición /admin.php?page=cat_list. • https://github.com/summ3rf/Vulner/blob/master/Piwigo%20Store%20XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-6883
https://notcve.org/view.php?id=CVE-2018-6883
Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator. Piwigo, en versiones anteriores a la 2.9.3, tiene inyección SQL en admin/tags.php en el panel de administración mediante el parámetro tags del array en una petición admin.php?page=tags. • https://github.com/Piwigo/Piwigo/issues/839 https://pastebin.com/tPebQFy4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-5692
https://notcve.org/view.php?id=CVE-2018-5692
Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. Piwigo v2.8.2 tiene XSS mediante los parámetros "tab", "to", "section", "mode", "installstatus" y "display" del archivo "admin.php". • https://www.vulnerability-lab.com/get_content.php?id=2005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-17825
https://notcve.org/view.php?id=CVE-2017-17825
The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it. El componente Batch Manager de Piwigo 2.9.2 es vulnerable a Cross-Site Scripting (XSS) persistente mediante los parámetros de array tags-* en una petición admin.php?page=batch_managermode=unit. • https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Stored%20XSS%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-17823
https://notcve.org/view.php?id=CVE-2017-17823
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database. El componente Configuration de Piwigo 2.9.2 es vulnerable a inyección SQL mediante el parámetro de array order_by en admin/configuration.php. Un atacante puede explotarlo para obtener acceso a los datos en una base de datos MySQL conectada. • https://github.com/Piwigo/Piwigo/commit/91ef7909a5c51203f330cbecf986472900b60983 https://github.com/Piwigo/Piwigo/issues/826 https://github.com/sahildhar/sahildhar.github.io/blob/master/research/reports/Piwigo_2.9.2/Multiple%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo%202.9.2.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •