Vulnerabilities > Piwigo > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-01 | CVE-2014-8942 | Cross-Site Request Forgery (CSRF) vulnerability in Piwigo Lexiglot 20141110 Lexiglot through 2014-11-20 allows CSRF. | 6.8 |
| 2020-06-01 | CVE-2014-8940 | Information Exposure vulnerability in Piwigo Lexiglot 20141110 Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI. | 5.0 |
| 2020-06-01 | CVE-2014-8939 | Path Traversal vulnerability in Piwigo Lexiglot 20141110 Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages. | 4.3 |
| 2020-06-01 | CVE-2014-8937 | Resource Exhaustion vulnerability in Piwigo Lexiglot 20141110 Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources. | 5.0 |
| 2020-03-26 | CVE-2020-9468 | Improper Input Validation vulnerability in Piwigo 2.9.0 The Community plugin 2.9.e-beta for Piwigo allows users to set image information on images in albums for which they do not have permission, by manipulating the image_id parameter. | 4.0 |
| 2019-12-02 | CVE-2012-4526 | Cross-site Scripting vulnerability in Piwigo piwigo has XSS in password.php (incomplete fix for CVE-2012-4525) | 4.3 |
| 2019-12-02 | CVE-2012-4525 | Cross-site Scripting vulnerability in Piwigo piwigo has XSS in password.php | 4.3 |
| 2018-03-16 | CVE-2014-4613 | Cross-Site Request Forgery (CSRF) vulnerability in Piwigo Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php. | 4.3 |
| 2018-02-24 | CVE-2018-6883 | SQL Injection vulnerability in Piwigo Piwigo before 2.9.3 has SQL injection in admin/tags.php in the administration panel, via the tags array parameter in an admin.php?page=tags request. | 4.0 |
| 2018-01-14 | CVE-2018-5692 | Cross-site Scripting vulnerability in Piwigo 2.8.2 Piwigo v2.8.2 has XSS via the `tab`, `to`, `section`, `mode`, `installstatus`, and `display` parameters of the `admin.php` file. | 4.3 |