Vulnerabilities > Piwigo > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-12-21 CVE-2017-17827 Cross-Site Request Forgery (CSRF) vulnerability in Piwigo 2.9.2
Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.php?page=configuration&section=main or /admin.php?page=batch_manager&mode=unit.
network
piwigo CWE-352
6.8
6.8
2017-12-21 CVE-2017-17826 Cross-site Scripting vulnerability in Piwigo 2.9.2
The Configuration component of Piwigo 2.9.2 is vulnerable to Persistent Cross Site Scripting via the gallery_title parameter in an admin.php?page=configuration&section=main request.
network
piwigo CWE-79
4.3
4.3
2017-12-21 CVE-2017-17824 SQL Injection vulnerability in Piwigo 2.9.2
The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/batch_manager_unit.php element_ids parameter in unit mode.
network
low complexity
piwigo CWE-89
4.0
4.0
2017-12-21 CVE-2017-17823 SQL Injection vulnerability in Piwigo 2.9.2
The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injection via the admin/configuration.php order_by array parameter.
network
low complexity
piwigo CWE-89
4.0
4.0
2017-12-21 CVE-2017-17822 SQL Injection vulnerability in Piwigo 2.9.2
The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/user_list_backend.php sSortDir_0 parameter.
network
low complexity
piwigo CWE-89
4.0
4.0
2017-12-20 CVE-2017-17775 Cross-site Scripting vulnerability in Piwigo 2.9.2
Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album-3-properties request.
network
piwigo CWE-79
4.3
4.3
2017-12-20 CVE-2017-17774 Cross-Site Request Forgery (CSRF) vulnerability in Piwigo 2.9.2
admin/configuration.php in Piwigo 2.9.2 has CSRF.
network
piwigo CWE-352
6.8
6.8
2017-12-01 CVE-2017-16893 SQL Injection vulnerability in Piwigo
The application Piwigo is affected by an SQL injection vulnerability in version 2.9.2 and possibly prior.
network
low complexity
piwigo CWE-89
4.0
4.0
2017-10-10 CVE-2016-10514 Improper Access Control vulnerability in Piwigo
url_check_format in include/functions.inc.php in Piwigo before 2.8.3 allows remote attackers to bypass intended access restrictions via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring.
network
piwigo CWE-284
4.3
4.3
2017-10-10 CVE-2016-10513 Cross-site Scripting vulnerability in Piwigo
Cross Site Scripting (XSS) exists in Piwigo before 2.8.3 via a crafted search expression to include/functions_search.inc.php.
network
piwigo CWE-79
4.3
4.3