CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48311
https://notcve.org/view.php?id=CVE-2024-48311
31 Oct 2024 — Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. Se descubrió que Piwigo v14.5.0 contenía cross-site request forgery (CSRF) a través de la función Editar álbum. • https://github.com/whiteshark2k/Piwigo-CSRF/blob/main/Piwigo-CSRF.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46605
https://notcve.org/view.php?id=CVE-2024-46605
16 Oct 2024 — A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. Una vulnerabilidad de cross-site scripting (XSS) en el componente /admin.php?page=album de Piwigo v14.5.0 permite a los atacantes ejecutar secuencias de comandos web o HTML arbitrarios a través de un payload manipulado específicamente para tal fin e inyectada en el campo Descripción. • http://piwigo.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46606
https://notcve.org/view.php?id=CVE-2024-46606
16 Oct 2024 — A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. Una vulnerabilidad de cross-site scripting (XSS) en el componente /admin.php?page=photo de Piwigo v14.5.0 permite a los atacantes ejecutar secuencias de comandos web o HTML arbitrarios a través de un payload manipulado específicamente para tal fin e inyectada en el campo Descripción. • http://piwigo.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46333
https://notcve.org/view.php?id=CVE-2024-46333
27 Sep 2024 — An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function. • https://github.com/whiteshark2k/Piwigo-XSS/blob/main/Piwigo-XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26450
https://notcve.org/view.php?id=CVE-2024-26450
28 Feb 2024 — An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener. La vulnerabilidad de Cross Site Scripting en Piwigo anteri... • https://github.com/Piwigo/Piwigo/security/advisories/GHSA-p362-cfpj-q55f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-51790
https://notcve.org/view.php?id=CVE-2023-51790
12 Jan 2024 — Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component. Vulnerabilidad de Cross Site Scripting en piwigo v.14.0.0 permite a un atacante remoto obtener información confidencial a través del parámetro lang en el componente del complemento Herramientas de Administrador. • https://github.com/Piwigo/AdminTools/issues/21 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 4%CPEs: 4EXPL: 1CVE-2023-44393 – Piwigo Reflected XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-44393
09 Oct 2023 — Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into th... • https://github.com/Piwigo/Piwigo/commit/cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.0EPSS: 67%CPEs: 1EXPL: 1CVE-2023-37270 – Piwigo SQL Injection vulnerability in "User-Agent"
https://notcve.org/view.php?id=CVE-2023-37270
07 Jul 2023 — Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. • https://github.com/Piwigo/Piwigo/blob/c01ec38bc43f09424a8d404719c35f963d63cf00/include/dblayer/functions_mysqli.inc.php#L491 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34626
https://notcve.org/view.php?id=CVE-2023-34626
15 Jun 2023 — Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function. • https://github.com/Piwigo/Piwigo/issues/1924 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33359
https://notcve.org/view.php?id=CVE-2023-33359
23 May 2023 — Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function. • https://github.com/Piwigo/Piwigo/issues/1908 • CWE-352: Cross-Site Request Forgery (CSRF) •