Piwigo
by Piwigo
Source repositories
CVEs (107)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-45357 | 0.00 | — | 0.01 | Feb 10, 2022 | Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php. | |||
| CVE-2016-3735 | 0.00 | — | 0.01 | Jan 28, 2022 | Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker… | |||
| CVE-2021-40882 | 0.00 | — | 0.01 | Dec 14, 2021 | A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location. | |||
| CVE-2021-40313 | 0.00 | — | 0.01 | Dec 6, 2021 | Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php. | |||
| CVE-2020-22150 | 0.00 | — | 0.01 | Jul 21, 2021 | A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2020-22148 | 0.00 | — | 0.01 | Jul 21, 2021 | A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML. | |||
| CVE-2021-32615 | 0.00 | — | 0.02 | May 13, 2021 | Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection. | |||
| CVE-2021-31783 | 0.00 | — | 0.01 | Apr 26, 2021 | show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check. | |||
| CVE-2014-8944 | 0.00 | — | 0.01 | Jun 1, 2020 | Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter. | |||
| CVE-2020-8089 | 0.00 | — | 0.01 | Feb 10, 2020 | Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page. | |||
| CVE-2012-4526 | 0.00 | — | 0.01 | Dec 2, 2019 | piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) | |||
| CVE-2012-4525 | 0.00 | — | 0.01 | Dec 2, 2019 | piwigo has XSS in password.php | |||
| CVE-2019-13364 | 0.00 | — | 0.01 | Sep 13, 2019 | admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF. | |||
| CVE-2019-13363 | 0.00 | — | 0.01 | Sep 13, 2019 | admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit… | |||
| CVE-2015-2035 | 0.00 | — | 0.02 | Feb 20, 2015 | SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php. | |||
| CVE-2015-2034 | 0.00 | — | 0.02 | Feb 20, 2015 | Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php. | |||
| CVE-2015-1517 | 0.00 | — | 0.03 | Feb 20, 2015 | SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php. | |||
| CVE-2015-1441 | 0.00 | — | 0.01 | Feb 3, 2015 | SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2014-3900 | 0.00 | — | 0.02 | Aug 17, 2014 | Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649. | |||
| CVE-2014-1980 | 0.00 | — | 0.01 | Aug 14, 2014 | Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin. |
- CVE-2021-45357Feb 10, 2022risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.
- CVE-2016-3735Jan 28, 2022risk 0.00cvss —epss 0.01
Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker…
- CVE-2021-40882Dec 14, 2021risk 0.00cvss —epss 0.01
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.
- CVE-2021-40313Dec 6, 2021risk 0.00cvss —epss 0.01
Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.
- CVE-2020-22150Jul 21, 2021risk 0.00cvss —epss 0.01
A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
- CVE-2020-22148Jul 21, 2021risk 0.00cvss —epss 0.01
A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.
- CVE-2021-32615May 13, 2021risk 0.00cvss —epss 0.02
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
- CVE-2021-31783Apr 26, 2021risk 0.00cvss —epss 0.01
show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.
- CVE-2014-8944Jun 1, 2020risk 0.00cvss —epss 0.01
Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.
- CVE-2020-8089Feb 10, 2020risk 0.00cvss —epss 0.01
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.
- CVE-2012-4526Dec 2, 2019risk 0.00cvss —epss 0.01
piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)
- CVE-2012-4525Dec 2, 2019risk 0.00cvss —epss 0.01
piwigo has XSS in password.php
- CVE-2019-13364Sep 13, 2019risk 0.00cvss —epss 0.01
admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.
- CVE-2019-13363Sep 13, 2019risk 0.00cvss —epss 0.01
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit…
- CVE-2015-2035Feb 20, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.
- CVE-2015-2034Feb 20, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.
- CVE-2015-1517Feb 20, 2015risk 0.00cvss —epss 0.03
SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.
- CVE-2015-1441Feb 3, 2015risk 0.00cvss —epss 0.01
SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2014-3900Aug 17, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.
- CVE-2014-1980Aug 14, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.
Page 5 of 6