Filtered by vendor Piwigo
Subscriptions
Filtered by product Piwigo
Subscriptions
Total
93 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-7724 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible. | ||||
| CVE-2018-7723 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible. | ||||
| CVE-2018-7722 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible. | ||||
| CVE-2018-6883 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator. | ||||
| CVE-2018-5692 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. | ||||
| CVE-2016-3735 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 8.1 High |
| Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset. | ||||
| CVE-2014-4613 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php. | ||||
| CVE-2012-4526 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.1 Medium |
| piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) | ||||
| CVE-2012-4525 | 1 Piwigo | 1 Piwigo | 2024-11-21 | 6.1 Medium |
| piwigo has XSS in password.php | ||||
| CVE-2024-48311 | 1 Piwigo | 1 Piwigo | 2024-11-01 | 8.8 High |
| Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. | ||||
| CVE-2024-46606 | 1 Piwigo | 1 Piwigo | 2024-10-18 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | ||||
| CVE-2024-46605 | 1 Piwigo | 1 Piwigo | 2024-10-18 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field. | ||||
| CVE-2024-46333 | 1 Piwigo | 1 Piwigo | 2024-09-30 | 4.8 Medium |
| An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function. | ||||