CVE-2012-2931
https://notcve.org/view.php?id=CVE-2012-2931
PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file. Una inyección de código PHP en TinyWebGallery versiones anteriores a 1.8.8, permite a usuarios autenticados remotos con privilegios de administrador inyectar código arbitrario en el archivo .htusers.php. • https://www.htbridge.com/advisory/HTB23093 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2017-16635
https://notcve.org/view.php?id=CVE-2017-16635
In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create. En TinyWebGallery v2.4, una vulnerabilidad XSS se localiza en los parámetros "mkname", "mkitem" e "item" del módulo "Add/Create". • https://www.vulnerability-lab.com/get_content.php?id=1997 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2932
https://notcve.org/view.php?id=CVE-2012-2932
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php. Múltiples vulnerabilidades de XSS en TinyWebGallery (TWG) en versiones anteriores a 1.8.8 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro selitems[] en una acción (1) copy, (2) chmod o (3) arch en admin/index.php o el parámetro (4) searchitem en una acción search en admin/index.php. • http://osvdb.org/82962 http://www.securityfocus.com/bid/54019 http://www.tinywebgallery.com/forum/web-photo-gallery-news-f14/twg-1-8-8-is-available-t3274.html https://www.htbridge.com/advisory/HTB23093 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-2930
https://notcve.org/view.php?id=CVE-2012-2930
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php. Múltiples vulnerabilidades de CSRF en TinyWebGallery (TWG) anterior a 1.8.8 permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) añaden un usuario a través de una acción adduser en admin/index.php o (2) realizan ataques de inyección de código PHP estático en .htusers.php a través del parámetro user en admin/index.php. • http://osvdb.org/show/osvdb/82961 http://www.tinywebgallery.com/forum/web-photo-gallery-news-f14/twg-1-8-8-is-available-t3274.html https://www.htbridge.com/advisory/HTB23093 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-2631 – TinyWebGallery 1.8.9 Path Disclosure
https://notcve.org/view.php?id=CVE-2013-2631
TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page image.php. TinyWebGallery (TWG) versiones 1.8.9 y anteriores, contienen una vulnerabilidad de divulgación de ruta completa que permite a atacantes remotos obtener información confidencial por medio de los parámetros "twg_browserx" y "twg_browsery" en la página image.php. TinyWebGallery versions 1.8.9 and below suffer from multiple path disclosure vulnerabilities. • https://packetstormsecurity.com/files/121128/TinyWebGallery-1.8.9-Path-Disclosure.html https://www.isecauditors.com/advisories-2013#2013-012 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •