Plegall

#8717de 53,632
31.4CVSS total
Vulnerabilidades · 4
Média
2
Alta
1
Crítica
1
PT-2023-24310
9.8
2023-05-23
Piwigo · Piwigo · CVE-2023-33362
**Name of the Vulnerable Software and Affected Versions** Piwigo version 13.6.0 **Description** The issue is related to SQL Injection via the `profile` function. **Recommendations** For Piwigo version 13.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-2929
9.0
2023-05-17
Piwigo · Piwigo · CVE-2023-27233
**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 13.6.0 **Description** The issue is related to a lack of validation of XML object sequences in the user list backend.php script of the Piwigo content management system. This can be exploited by a remote attacker to conduct SQL injection attacks via the `order[0][dir]` parameter at the "user list backend.php" endpoint. **Recommendations** For versions prior to 13.6.0, update to version 13.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `user list backend.php` endpoint or disabling the use of the `order[0][dir]` parameter until a patch is applied.
PT-2017-7910
6.1
2017-10-10
Piwigo · Piwigo · CVE-2016-10513
**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 2.8.3 **Description** A Cross Site Scripting (XSS) issue exists, allowing for the execution of malicious scripts via a crafted search expression. The issue is related to the `include/functions search.inc.php` file. **Recommendations** For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue.
PT-2017-7911
6.5
2017-10-10
Piwigo · Piwigo · CVE-2016-10514
**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 2.8.3 **Description** The issue allows remote attackers to bypass intended access restrictions. This can be achieved via a URL that contains a " character, or a URL beginning with a substring other than the http:// or https:// substring. The problem is located in the url check format function in include/functions.inc.php. **Recommendations** For versions prior to 2.8.3, update to version 2.8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the url check format function in include/functions.inc.php until a patch is available. Avoid using URLs that contain a " character or start with substrings other than http:// or https:// in the affected function.