MidnightBSD

Advisories for piwigo

CVE-2009-2933 HIGH

SQL injection vulnerability in comments.php in Piwigo before 2.0.3 allows remote attackers to execute arbitrary SQL commands via the items_number parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2010-1707 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 1.3.1
piwigo piwigo 1.3.0
piwigo piwigo *
piwigo piwigo 1.3.4
piwigo piwigo 2.0.7
piwigo piwigo 1.0.0
piwigo piwigo 1.5.0
piwigo piwigo 2.0.1
piwigo piwigo 2.0.0
piwigo piwigo 1.7.0
piwigo piwigo 2.0.2
piwigo piwigo 1.7.2
piwigo piwigo 2.0.8
piwigo piwigo 1.1.0
piwigo piwigo 1.7.3
piwigo piwigo 1.5.1
piwigo piwigo 2.0.6
piwigo piwigo 1.2.1
piwigo piwigo 1.7.1
piwigo piwigo 1.6.2
piwigo piwigo 1.2.0
piwigo piwigo 2.0.3
piwigo piwigo 2.0.4
piwigo piwigo 1.0.1
piwigo piwigo 1.0.2
piwigo piwigo 2.0.5
piwigo piwigo 1.4.0
piwigo piwigo 1.4.1
piwigo piwigo 1.5.2
piwigo piwigo 1.6.0
piwigo piwigo 1.6.1
piwigo piwigo 1.3.2
piwigo piwigo 1.3.3
CVE-2011-3790 MEDIUM

Piwigo 2.1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tools/metadata.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
piwigo piwigo 2.1.5
CVE-2013-1468 HIGH

Cross-site request forgery (CSRF) vulnerability in the LocalFiles Editor plugin in Piwigo before 2.4.7 allows remote attackers to hijack the authentication of administrators for requests that create arbitrary PHP files via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 1.3.1
piwigo piwigo 2.2.4
piwigo piwigo 2.4.5
piwigo piwigo 1.0.0
piwigo piwigo 2.4.1
piwigo piwigo 2.2.3
piwigo piwigo 2.0
piwigo piwigo 2.0.0
piwigo piwigo 1.7.0
piwigo piwigo 2.2.2
piwigo piwigo 2.0.9
piwigo piwigo 1.7.2
piwigo piwigo 2.0.8
piwigo piwigo 1.7.3
piwigo piwigo 1.5.1
piwigo piwigo 2.1.5
piwigo piwigo 2.0.6
piwigo piwigo 2.4.0
piwigo piwigo 1.2.0
piwigo piwigo 2.0.3
piwigo piwigo 2.0.4
piwigo piwigo 1.0.2
piwigo piwigo 2.0.5
piwigo piwigo 2.0.10
piwigo piwigo 2.3.4
piwigo piwigo 2.2.1
piwigo piwigo 1.5.2
piwigo piwigo 2.1.2
piwigo piwigo 1.6.0
piwigo piwigo 2.1.6
piwigo piwigo 2.3.3
piwigo piwigo 2.4.2
piwigo piwigo 2.1.0
piwigo piwigo 1.3.0
piwigo piwigo *
piwigo piwigo 1.3.4
piwigo piwigo 2.0.7
piwigo piwigo 1.5.0
piwigo piwigo 2.1.3
piwigo piwigo 2.0.1
piwigo piwigo 2.4.3
piwigo piwigo 2.2.5
piwigo piwigo 2.0.2
piwigo piwigo 1.1.0
piwigo piwigo 2.2.0
piwigo piwigo 2.3.0
piwigo piwigo 1.2.1
piwigo piwigo 1.7.1
piwigo piwigo 1.6.2
piwigo piwigo 2.1.1
piwigo piwigo 1.0.1
piwigo piwigo 1.4.0
piwigo piwigo 1.4.1
piwigo piwigo 2.3.1
piwigo piwigo 2.4.4
piwigo piwigo 2.3.2
piwigo piwigo 2.1.4
piwigo piwigo 1.6.1
piwigo piwigo 1.3.2
piwigo piwigo 2.3.5
piwigo piwigo 1.3.3
CVE-2013-1469 MEDIUM

Directory traversal vulnerability in install.php in Piwigo before 2.4.7 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the dl parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
piwigo piwigo 1.3.1
piwigo piwigo 2.2.4
piwigo piwigo 2.4.5
piwigo piwigo 1.0.0
piwigo piwigo 2.4.1
piwigo piwigo 2.2.3
piwigo piwigo 2.0
piwigo piwigo 2.0.0
piwigo piwigo 1.7.0
piwigo piwigo 2.2.2
piwigo piwigo 2.0.9
piwigo piwigo 1.7.2
piwigo piwigo 2.0.8
piwigo piwigo 1.7.3
piwigo piwigo 1.5.1
piwigo piwigo 2.1.5
piwigo piwigo 2.0.6
piwigo piwigo 2.4.0
piwigo piwigo 1.2.0
piwigo piwigo 2.0.3
piwigo piwigo 2.0.4
piwigo piwigo 1.0.2
piwigo piwigo 2.0.5
piwigo piwigo 2.0.10
piwigo piwigo 2.3.4
piwigo piwigo 2.2.1
piwigo piwigo 1.5.2
piwigo piwigo 2.1.2
piwigo piwigo 1.6.0
piwigo piwigo 2.1.6
piwigo piwigo 2.3.3
piwigo piwigo 2.4.2
piwigo piwigo 2.1.0
piwigo piwigo 1.3.0
piwigo piwigo *
piwigo piwigo 1.3.4
piwigo piwigo 2.0.7
piwigo piwigo 1.5.0
piwigo piwigo 2.1.3
piwigo piwigo 2.0.1
piwigo piwigo 2.4.3
piwigo piwigo 2.2.5
piwigo piwigo 2.0.2
piwigo piwigo 1.1.0
piwigo piwigo 2.2.0
piwigo piwigo 2.3.0
piwigo piwigo 1.2.1
piwigo piwigo 1.7.1
piwigo piwigo 1.6.2
piwigo piwigo 2.1.1
piwigo piwigo 1.0.1
piwigo piwigo 1.4.0
piwigo piwigo 1.4.1
piwigo piwigo 2.3.1
piwigo piwigo 2.4.4
piwigo piwigo 2.3.2
piwigo piwigo 2.1.4
piwigo piwigo 1.6.1
piwigo piwigo 1.3.2
piwigo piwigo 2.3.5
piwigo piwigo 1.3.3
CVE-2014-125053 MEDIUM

A vulnerability was found in Piwigo-Guest-Book up to 1.3.0. It has been declared as critical. This vulnerability affects unknown code of the file include/guestbook.inc.php of the component Navigation Bar. The manipulation of the argument start leads to sql injection. Upgrading to version 1.3.1 is able to address this issue. The patch is identified as 0cdd1c388edf15089c3a7541cefe7756e560581d. It is recommended to upgrade the affected component. VDB-217582 is the identifier assigned to this vulnerability.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo guestbook *
CVE-2014-1980 MEDIUM

Cross-site scripting (XSS) vulnerability in include/functions_metadata.inc.php in Piwigo before 2.4.6 allows remote attackers to inject arbitrary web script or HTML via the Make field in IPTC Exif metadata within an image uploaded to the Community plugin.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.4.2
piwigo piwigo 2.1.0
piwigo piwigo 2.2.4
piwigo piwigo *
piwigo piwigo 2.0.7
piwigo piwigo 2.4.1
piwigo piwigo 2.2.3
piwigo piwigo 2.1.3
piwigo piwigo 2.0.1
piwigo piwigo 2.0.0
piwigo piwigo 2.4.3
piwigo piwigo 2.2.2
piwigo piwigo 2.2.5
piwigo piwigo 2.0.2
piwigo piwigo 2.0.9
piwigo piwigo 2.0.8
piwigo piwigo 2.2.0
piwigo piwigo 2.1.5
piwigo piwigo 2.3.0
piwigo piwigo 2.0.6
piwigo piwigo 2.4.0
piwigo piwigo 2.1.1
piwigo piwigo 2.0.3
piwigo piwigo 2.0.4
piwigo piwigo 2.0.5
piwigo piwigo 2.0.10
piwigo piwigo 2.3.4
piwigo piwigo 2.2.1
piwigo piwigo 2.3.1
piwigo piwigo 2.1.2
piwigo piwigo 2.4.4
piwigo piwigo 2.1.6
piwigo piwigo 2.3.2
piwigo piwigo 2.1.4
piwigo piwigo 2.3.3
piwigo piwigo 2.3.5
CVE-2014-3900 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/picture_modify.php in the photo-edit subsystem in Piwigo 2.6.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the associate[] field, a different vulnerability than CVE-2014-4649.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.6.1
piwigo piwigo *
piwigo piwigo 2.6.2
piwigo piwigo 2.6.0
CVE-2014-4613 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2014-4614 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Piwigo before 2.6.2 allow remote attackers to hijack the authentication of administrators for requests that use the (1) pwg.groups.addUser, (2) pwg.groups.deleteUser, (3) pwg.groups.setInfo, (4) pwg.users.setInfo, (5) pwg.permissions.add, or (6) pwg.permissions.remove method.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 1.3.1
piwigo piwigo 2.2.4
piwigo piwigo 2.4.5
piwigo piwigo 1.0.0
piwigo piwigo 2.4.1
piwigo piwigo 2.2.3
piwigo piwigo 2.0
piwigo piwigo 2.0.0
piwigo piwigo 1.7.0
piwigo piwigo 2.2.2
piwigo piwigo 2.0.9
piwigo piwigo 1.7.2
piwigo piwigo 2.0.8
piwigo piwigo 1.7.3
piwigo piwigo 1.5.1
piwigo piwigo 2.1.5
piwigo piwigo 2.0.6
piwigo piwigo 2.4.0
piwigo piwigo 2.4.7
piwigo piwigo 1.2.0
piwigo piwigo 2.0.3
piwigo piwigo 2.0.4
piwigo piwigo 2.6.0
piwigo piwigo 1.0.2
piwigo piwigo 2.0.5
piwigo piwigo 2.0.10
piwigo piwigo 2.3.4
piwigo piwigo 2.2.1
piwigo piwigo 1.5.2
piwigo piwigo 2.1.2
piwigo piwigo 1.6.0
piwigo piwigo 2.1.6
piwigo piwigo 2.3.3
piwigo piwigo 2.4.2
piwigo piwigo 2.1.0
piwigo piwigo 2.4.6
piwigo piwigo 1.3.0
piwigo piwigo *
piwigo piwigo 1.3.4
piwigo piwigo 2.0.7
piwigo piwigo 1.5.0
piwigo piwigo 2.1.3
piwigo piwigo 2.0.1
piwigo piwigo 2.4.3
piwigo piwigo 2.2.5
piwigo piwigo 2.0.2
piwigo piwigo 2.5.0
piwigo piwigo 1.1.0
piwigo piwigo 2.2.0
piwigo piwigo 2.3.0
piwigo piwigo 1.2.1
piwigo piwigo 1.7.1
piwigo piwigo 1.6.2
piwigo piwigo 2.1.1
piwigo piwigo 1.0.1
piwigo piwigo 1.4.0
piwigo piwigo 1.4.1
piwigo piwigo 2.3.1
piwigo piwigo 2.4.4
piwigo piwigo 2.3.2
piwigo piwigo 2.1.4
piwigo piwigo 1.6.1
piwigo piwigo 1.3.2
piwigo piwigo 2.3.5
piwigo piwigo 1.3.3
CVE-2014-4648 HIGH

Unspecified vulnerability in Piwigo before 2.6.3 has unknown impact and attack vectors, related to a "security failure."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
piwigo piwigo 2.6.1
piwigo piwigo *
piwigo piwigo 2.6.0
CVE-2014-4649 MEDIUM

SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate[] field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.6.3
piwigo piwigo 2.6.1
piwigo piwigo 2.6.2
piwigo piwigo 2.7.0
piwigo piwigo 2.6.0
CVE-2014-8937 MEDIUM

Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8938 LOW

Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8939 MEDIUM

Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8940 MEDIUM

Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8941 HIGH

Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8942 MEDIUM

Lexiglot through 2014-11-20 allows CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8943 MEDIUM

Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8944 LOW

Lexiglot through 2014-11-20 allows XSS (Reflected) via the username, or XSS (Stored) via the admin.php?page=config install_name, intro_message, or new_file_content parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-8945 HIGH

admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
piwigo lexiglot *
CVE-2014-9115 HIGH

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitrary SQL commands via the rate parameter to picture.php, related to an improper data type in a comparison of a non-numeric value that begins with a digit.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.6.3
piwigo piwigo 2.6.1
piwigo piwigo *
piwigo piwigo 2.6.2
piwigo piwigo 2.7.1
piwigo piwigo 2.7.0
piwigo piwigo 2.6.0
CVE-2015-1441 HIGH

SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.6.3
piwigo piwigo 2.6.4
piwigo piwigo 2.6.1
piwigo piwigo *
piwigo piwigo 2.6.2
piwigo piwigo 2.7.1
piwigo piwigo 2.7.2
piwigo piwigo 2.7.0
piwigo piwigo 2.6.0
CVE-2015-1517 MEDIUM

SQL injection vulnerability in Piwigo before 2.7.4, when all filters are activated, allows remote authenticated users to execute arbitrary SQL commands via the filter_level parameter in a "Refresh photo set" action in the batch_manager page to admin.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2015-2034 MEDIUM

Cross-site scripting (XSS) vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter to admin.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2015-2035 MEDIUM

SQL injection vulnerability in the administrative backend in Piwigo before 2.7.4 allows remote administrators to execute arbitrary SQL commands via the user parameter in the history page to admin.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10083 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10084 MEDIUM

admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10085 MEDIUM

admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10105 HIGH

admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-284,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10513 MEDIUM

Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-10514 MEDIUM

url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-3735 MEDIUM

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after recovering the seed used to generate it. This low an unauthenticated attacker to take over an account providing they know an administrators email address in order to be able to request password reset.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-335,CWE-335,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2016-9751 MEDIUM

Cross-site scripting (XSS) vulnerability in the search results front end in Piwigo 2.8.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.8.3
CVE-2017-10678 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to delete permalinks via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-10679 MEDIUM

Piwigo through 2.9.1 allows remote attackers to obtain sensitive information about the descriptive name of a permalink by examining the redirect URL that is returned in a request for the permalink ID number of a private album. The permalink ID numbers are easily guessed.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-10680 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to change a private album to public via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-10681 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9.1 allows remote attackers to hijack the authentication of users for requests to unlock albums via a crafted request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-10682 HIGH

SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-16893 MEDIUM

The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. tags.php is affected: values of the edit_list parameters are not sanitized; these are used to construct an SQL query and retrieve a list of registered users into the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-17774 MEDIUM

admin/configuration.php in Piwigo 2.9.2 has CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17775 MEDIUM

Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17822 MEDIUM

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17823 MEDIUM

The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter. An attacker can exploit this to gain access to the data in a connected MySQL database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17824 MEDIUM

The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode. An attacker can exploit this to gain access to the data in a connected MySQL database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17825 LOW

The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via tags-* array parameters in an admin.php?page=batch_manager&mode=unit request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17826 MEDIUM

The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request. An attacker can exploit this to hijack a client's browser along with the data stored in it.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-17827 MEDIUM

Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit. An attacker can exploit this to coerce an admin user into performing unintended actions.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.2
CVE-2017-5608 MEDIUM

Cross-site scripting (XSS) vulnerability in the image upload function in Piwigo before 2.8.6 allows remote attackers to inject arbitrary web script or HTML via a crafted image filename.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-9452 LOW

Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-9463 MEDIUM

The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-9464 MEDIUM

An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2017-9836 LOW

Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album).

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.1
CVE-2018-5692 MEDIUM

Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.8.2
CVE-2018-6883 MEDIUM

Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. The attacker must be an administrator.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2018-7722 LOW

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.3
CVE-2018-7723 LOW

The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.3
CVE-2018-7724 LOW

The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.3
CVE-2019-13363 MEDIUM

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2019-13364 MEDIUM

admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-352,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-19212 MEDIUM

SQL Injection vulnerability in admin/group_list.php in piwigo v2.9.5, via the group parameter to delete.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-19213 HIGH

SQL Injection vulnerability in cat_move.php in piwigo v2.9.5, via the selection parameter to move_categories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-19215 MEDIUM

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=user_perm.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-19216 MEDIUM

SQL Injection vulnerability in admin/user_perm.php in piwigo v2.9.5, via the cat_false parameter to admin.php?page=group_perm.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-19217 MEDIUM

SQL Injection vulnerability in admin/batch_manager.php in piwigo v2.9.5, via the filter_category parameter to admin.php?page=batch_manager.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.5
CVE-2020-22148 MEDIUM

A stored cross site scripting (XSS) vulnerability in /admin.php?page=tags of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.10.1
CVE-2020-22150 MEDIUM

A cross site scripting (XSS) vulnerability in /admin.php?page=permalinks of Piwigo 2.10.1 allows attackers to execute arbitrary web scripts or HTML.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.10.1
CVE-2020-8089 LOW

Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.10.1
CVE-2020-9467 LOW

Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 2.10.1
CVE-2020-9468 MEDIUM

The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
piwigo piwigo 2.9.0
CVE-2021-27973 MEDIUM

SQL injection exists in Piwigo before 11.4.0 via the language parameter to admin.php?page=languages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2021-31783 MEDIUM

show_default.php in the LocalFilesEditor extension before 11.4.0.1 for Piwigo allows Local File Inclusion because the file parameter is not validated with a proper regular-expression check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-345,

Products Affected

Vendor Product Version
piwigo localfiles_editor *
CVE-2021-32615 HIGH

Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 11.4.0
CVE-2021-40313 MEDIUM

Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 11.5.0
CVE-2021-40317 MEDIUM

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 11.5.0
CVE-2021-40553 MEDIUM

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
piwigo piwigo 11.5.0
CVE-2021-40678 LOW

In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batch_manager&mode=unit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 11.5.0
CVE-2021-40882 MEDIUM

A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 11.5.0
CVE-2021-45357 MEDIUM

Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2022-24620 LOW

Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
piwigo piwigo 12.2.0
CVE-2022-26266 MEDIUM

Piwigo v12.2.0 was discovered to contain a SQL injection vulnerability via pwg.users.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo 12.2.0
CVE-2022-26267 MEDIUM

Piwigo v12.2.0 was discovered to contain an information leak via the action parameter in /admin/maintenance_actions.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
piwigo piwigo 12.2.0
CVE-2022-32297 MEDIUM

Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2022-37183

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
piwigo piwigo 12.3.0
CVE-2022-48007

A stored cross-site scripting (XSS) vulnerability in identification.php of Piwigo v13.4.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User-Agent.

Products Affected

Vendor Product Version
piwigo piwigo 13.4.0
CVE-2023-26876

SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2023-27233

Piwigo before 13.6.0 was discovered to contain a SQL injection vulnerability via the order[0][dir] parameter at user_list_backend.php.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2023-33359

Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.

Products Affected

Vendor Product Version
piwigo piwigo 13.6.0
CVE-2023-33361

Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php.

Products Affected

Vendor Product Version
piwigo piwigo 13.6.0
CVE-2023-33362

Piwigo 13.6.0 is vulnerable to SQL Injection via in the "profile" function.

Products Affected

Vendor Product Version
piwigo piwigo 13.6.0
CVE-2023-34626

Piwigo 13.7.0 is vulnerable to SQL Injection via the "Users" function.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2023-37270

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header `User-Agent` is vulnerable at the endpoint that records user information when logging in to the administrator screen. It is possible to execute arbitrary SQL statements. Someone who wants to exploit the vulnerability must be log in to the administrator screen, even with low privileges. Any SQL statement can be executed. Doing so may leak information from the database. Version 13.8.0 contains a fix for this issue. As another mitigation, those who want to execute a SQL statement verbatim with user-enterable parameters should be sure to escape the parameter contents appropriately.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2023-44393

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 9.3 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N 2.8 5.8

Products Affected

Vendor Product Version
piwigo piwigo *
piwigo piwigo 14.0.0
CVE-2023-51790

Cross Site Scripting vulnerability in piwigo v.14.0.0 allows a remote attacker to obtain sensitive information via the lang parameter in the Admin Tools plug-in component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
piwigo piwigo 14.0.0
CVE-2024-26450

An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2024-28662

A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php.

Products Affected

Vendor Product Version
piwigo piwigo 14.2.0
CVE-2024-43018

Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2024-46333

An authenticated cross-site scripting (XSS) vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
piwigo piwigo 14.5.0
CVE-2024-46605

A cross-site scripting (XSS) vulnerability in the component /admin.php?page=album of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2024-46606

A cross-site scripting (XSS) vulnerability in the component /admin.php?page=photo of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2024-48311

Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
piwigo piwigo 14.5.0
CVE-2024-48928

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is constructed partially from the secret key, and this can be used to check if the brute force succeeded. Trying all possible values takes approximately one hour. The impact of this is limited. The auto login key uses the user's password on top of the secret key. The pwg token uses the user's session identifier on top of the secret key. It seems that values for get_ephemeral_key can be generated when one knows the secret key. Version 15.0.0 contains a fix for the issue.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2024-52701

A stored cross-site scripting (XSS) vulnerability in the Configuration page of Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page banner parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
piwigo piwigo 14.5.0
CVE-2025-62406

Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
piwigo piwigo 15.6.0
CVE-2025-62512

Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2026-27634

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type validation. This could result in an unauthenticated attacker reading the full database, including user password hashes. This issue has been patched in version 16.3.0.

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2026-27833

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2026-27834

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
piwigo piwigo *
CVE-2026-27885

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including user credentials, email addresses, and all stored content. This issue has been patched in version 16.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
piwigo piwigo *