VYPR

Piwigo

by Piwigo

Source repositories

CVEs (107)

  • CVE-2021-45357Feb 10, 2022
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.

  • CVE-2016-3735Jan 28, 2022
    risk 0.00cvss epss 0.01

    Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker…

  • CVE-2021-40882Dec 14, 2021
    risk 0.00cvss epss 0.01

    A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.

  • CVE-2021-40313Dec 6, 2021
    risk 0.00cvss epss 0.01

    Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.

  • CVE-2020-22150Jul 21, 2021
    risk 0.00cvss epss 0.01

    A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2020-22148Jul 21, 2021
    risk 0.00cvss epss 0.01

    A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

  • CVE-2021-32615May 13, 2021
    risk 0.00cvss epss 0.02

    Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.

  • CVE-2021-31783Apr 26, 2021
    risk 0.00cvss epss 0.01

    show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.

  • CVE-2014-8944Jun 1, 2020
    risk 0.00cvss epss 0.01

    Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.

  • CVE-2020-8089Feb 10, 2020
    risk 0.00cvss epss 0.01

    Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

  • CVE-2012-4526Dec 2, 2019
    risk 0.00cvss epss 0.01

    piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)

  • CVE-2012-4525Dec 2, 2019
    risk 0.00cvss epss 0.01

    piwigo has XSS in password.php

  • CVE-2019-13364Sep 13, 2019
    risk 0.00cvss epss 0.01

    admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.

  • CVE-2019-13363Sep 13, 2019
    risk 0.00cvss epss 0.01

    admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit…

  • CVE-2015-2035Feb 20, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.

  • CVE-2015-2034Feb 20, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.

  • CVE-2015-1517Feb 20, 2015
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.

  • CVE-2015-1441Feb 3, 2015
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2014-3900Aug 17, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.

  • CVE-2014-1980Aug 14, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.

Page 5 of 6