SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.
Max CVSS
7.5
EPSS Score
0.13%
Published
2009-08-21
Updated
2018-10-10
Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.21%
Published
2009-11-20
Updated
2009-11-23
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.
Max CVSS
4.3
EPSS Score
0.11%
Published
2010-05-04
Updated
2010-05-04
Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.
Max CVSS
5.0
EPSS Score
0.23%
Published
2011-09-24
Updated
2012-05-21
Directory traversal vulnerability in upgrade.php in Piwigo before 2.3.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
Max CVSS
7.5
EPSS Score
3.73%
Published
2012-08-14
Updated
2017-08-29
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module.
Max CVSS
4.3
EPSS Score
0.72%
Published
2012-08-14
Updated
2017-08-29
piwigo has XSS in password.php
Max CVSS
6.1
EPSS Score
0.29%
Published
2019-12-02
Updated
2019-12-04
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
Max CVSS
6.1
EPSS Score
0.29%
Published
2019-12-02
Updated
2019-12-04
Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.
Max CVSS
7.6
EPSS Score
22.89%
Published
2013-03-14
Updated
2013-10-03
Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.
Max CVSS
4.0
EPSS Score
69.28%
Published
2013-03-13
Updated
2013-03-19
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
Max CVSS
4.3
EPSS Score
0.19%
Published
2014-08-14
Updated
2014-08-14
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
Max CVSS
4.3
EPSS Score
0.22%
Published
2014-08-17
Updated
2014-09-08
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
Max CVSS
6.5
EPSS Score
1.21%
Published
2018-03-16
Updated
2018-04-09
Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.
Max CVSS
6.8
EPSS Score
0.16%
Published
2014-07-02
Updated
2014-07-09
Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."
Max CVSS
10.0
EPSS Score
0.25%
Published
2014-06-28
Updated
2014-06-30
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.
Max CVSS
6.5
EPSS Score
0.10%
Published
2014-06-28
Updated
2014-06-30
Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources.
Max CVSS
7.5
EPSS Score
0.12%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.
Max CVSS
7.8
EPSS Score
0.04%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages.
Max CVSS
5.3
EPSS Score
0.26%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI.
Max CVSS
5.3
EPSS Score
0.25%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.
Max CVSS
9.8
EPSS Score
0.21%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows CSRF.
Max CVSS
8.8
EPSS Score
0.12%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.
Max CVSS
8.8
EPSS Score
0.11%
Published
2020-06-01
Updated
2020-06-02
Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.
Max CVSS
5.4
EPSS Score
0.06%
Published
2020-06-01
Updated
2020-06-02
admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.
Max CVSS
9.8
EPSS Score
1.35%
Published
2020-06-01
Updated
2020-06-02
101 vulnerabilities found
1 2 3 4 5
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!